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Abstract 

In this dissertation we collect some results about "interactive realizability", a realizability 
semantics that extends the Brouwer-Heyting-Kolmogorov interpretation to (sub-)classical 
logic, more precisely to first-order intuitionistic arithmetic (Heyting Arithmetic, HA) ex- 
tended by the law of the excluded middle restricted to 2° formulas (EMi), a system moti- 
vated by its interest in proof mining. These results are three interconnected works, listed 
below. 

• We describe the interactive interpretation of a classical proof involving real numbers. 
The statement we prove is a simple but non-trivial fact about points in the real plane. 
The proof employs EMi to deduce properties of the ordering on the real numbers, 
which is undecidable and thus problematic from a constructive point of view. 

• We present a new set of reductions for derivations in natural deduction that can extract 
witnesses from closed derivations of simply existential formulas in HA + EMi. The 
reduction we present are inspired by the informal idea of learning by making falsifiable 
hypothesis and checking them, and by the interactive realizability interpretation. We 
extract the witnesses directly from derivations in HA + EMi by reduction, without 
encoding derivations by a realizability interpretation. 

• We give a new presentation of interactive realizability with a more explicit syntax. 
We express interactive realizers by means of an abstract framework that applies the 
monadic approach used in functional programming to modified realizability, in order 
to obtain less strict notions of realizability that are suitable to classical logic. In par- 
ticular we use a combination of the state and exception monads in order to capture the 
learning-from-mistakes nature of interactive realizers. 
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Chapter 1 



Preface 



1.1 Proofs and Computations 

From the beginning intuitionistic logic has been linked to the idea of computation. In hind- 
sight, this is already implicit in the Brouwer-Heyting-Kolmogorov (BHK) interpretation, 
which is presented in terms of proofs, constructions and transformations thereof (or prob- 
lems in the case of Kolmogorov). 

The connection becomes more evident with the introduction of recursive realizability by 
Kleene in [14] and, later, modified realizability by Kreisel in [15]. Realizability semantics 
can be thought of as formalizations of the BHK interpretation, where the vague notions of 
proof, construction and transformation are replaced with the notions of computable func- 
tionals. 

The full explicitation of this connection is the Curry-Howard correspondence, [13], 
where the whole proof is seen as a program and the conclusion as the type or the speci- 
fication of the program. While interpreting an intuitionistic proof as a computation is quite 
natural (in hindsight), this is not the case for classical proofs. 

A computational interpretation of a classical proof can be obtained by first translating a 
classical proof into an intuitionstic one by means of double-negation translation. This ap- 
proach was used by Godel to prove relative consistency results for classical and intuitionistic 
arithmetic. However, the double-negation translation transforms informative statements into 
non-informative ones, so the computations we can extract in this way yield trivial results. 



Moreover, this approach is indirect, while proofs and computations are almost undistinguish- 
able in intuitionstic logic. 
We quote from [23]: 

Until around 1990 there was a widespread consensus to the effect that "there is 
no Curry-Howard isomorphism for classical logic." However, at that time Tim 
Griffin made a path-breaking discovery which have convinced most critics that 
classical logics have something to offer the Curry-Howard isomorphism. 

In [12], Griffin extends the Curry-Howard correspondence to classical proofs, employing 
functional programs with first-class continuations. In Griffin's own words: 

The programming language Scheme contains the control construct call/cc that 
allows access to the current continuation (the current control context). This, 
in effect, provides Scheme with first-class labels and jumps. We show that 
the well-known formulae-as-types correspondence, which relates a constructive 
proof of a formula a to a program of type a, can be extended to a typed Ide- 
alized Scheme. What is surprising about this correspondence is that it relates 
classical proofs to typed programs. 

After Griffin's discovery, other interpretations extending the Curry-Howard correspon- 
dence to classical logic have been put forward. In [19], Parigot introduces the /[//-calculus, 
an extension of lambda calculus with an additional kind of variables for subterms. 

In [16], Krivine devised a new notion of realizability for classical logic called "classical 
realizability". In classical realizability realizers are written in an untyped lambda calculus 
with save/restore operators for the execution context and they are interpreted by an abstract 
machine that allows the manipulation of execution contexts, represented as "stacks" of ar- 
guments. 

Interactive realizability is a more recent proof interpretation for classical logic and the 
main focus of this dissertation. 

1.2 Interactive Realizability 

Introduced by Berardi and de'Liguoro in [5, 6], interactive realizability is a technique for 
understanding and extracting the computational content in the case of the sub-classical logic 
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HA + EMi (Heyting Arithmetic extended by the law of the excluded middle restricted to Sj 
formulas). 

The main inspiration sources for interactive realizability are Coquand's game theoretic 
semantics for classical arithmetic and Gold's idea of learning in the limit. 

Gold original interest is language learnability, for instance a child learning the grammar 
of a language by repeated exposure to correct sentences. We expect that the child will 
eventually learn the language and stop making mistakes when speaking. The interesting 
point is that we do not know how many sentences he needs to complete the learning, In [1 1], 
he defines what it means to learn the answer of some question from an unlimited amount of 
evidence and in a finite time as follows: 

The purpose of this paper is to discuss the classes of problems that can be solved 
by infinitely long decision procedures in the following sense: An algorithm is 
given which, for any problem of the class, generates an infinitely long sequence 
of guesses. The problem will be said to be solved in the limit if, after some finite 
point in the sequence, all the guesses are correct and the same (in case there is 
more than one correct answer). 

In [9], Coquand presents a novel game theoretic semantics. As customary in game se- 
mantics, each formula defines a game for two players: Bloise, trying to show that the formula 
is true and Vbelard, trying to show that it is not. A formula is then validated by the existence 
of a winning strategy for Bloise. 

Coquand takes the game for intuitionistic logic and extends it to classical logic by al- 
lowing Bloise to retract her moves: instead of answering to the last move made by Vbelard, 
she can change her mind on her previous moves and go back to any past position. Thus a 
new game with asymmetric backtracking is defined, where Bloise holds the advantage and 
the existence of a backtracking strategy validates classical logic. 

In [5, 6], Berardi and de'Liguoro recast Coquand's idea of backtracking strategy as a 
strategy for learning the truth of classical statements in the limit in Gold's sense. Moreover, 
they present their proof interpretation as a realizability rather than game theoretic semantics 
and write backtracking strategies as learning algorithms in a simply typed /l-calculus with 
primitive recursion. 

The aim of interactive realizability as a proof interpretation for classical logic is to ex- 
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press the computational content of a suitable subset of classical proofs in an understandable 
form. This is the motivation for its peculiar features, which we summarize in the following. 

• The interactive interpretation is "faithful" to the classical proof, meaning that the com- 
putation follows closely the original proof. This is possible since interactive realizabil- 
ity interprets the proof directly, without resorting to proof translations. We also avoid 
adding computations that are not explicitly present in the proof, for instance blind 
searches to realize existential statements. 

• A common feature of computational interpretation of classical logic is that they ex- 
tract programs that manipulate the execution context, that is, they need continuations. 
However, the use of continuations can make a program hard to follow. Interactive 
realizability uses the idea of learning to explain the manipulations of the execution 
contexts that are needed to backtrack. In particular this is accomplished by means of 
a knowledge state, that is increased during the learning process and that act as a guide 
in the exectution of the interactive interpretation. 

• Interactive realizability is compositional, meaning that the interactive interpretations 
of different parts of a single proofs can be given independently and then composed to 
obtain the interactive interpretation of the whole proof. 

• In this dissertation we only consider proofs where the law of the excluded middle 
is restricted to S° formulas. In this case interactive realizers use simpler constructs 
like states and exceptions instead of continuations in order to handle the backtracking 
nature of the computational content of classical proofs. 
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Chapter 2 



Preliminaries 



In this chapter we introduce the notation and the tools we shall in the rest of the thesis. Our 
analysis is mainly concerned with proofs in first-order arithmetic, both intuitionistic (HA) 
and classical (PA). We also introduce a simply typed lambda calculus, which we use to give 
realizability interpretations of proofs. 

2.1 Constructive Arithmetic in Natural Deduction 

In this section, we introduce Heyting Arithmetic and the axiom for the law of the excluded 
middle, which will be the logical setting of the whole dissertation. We briefly describe the 
language of first-order logic, the rules of minimal logic in natural deduction, the axioms and 
rules of arithmetic and the restricted excluded middle axiom schemes. 

2.1.1 Primitive Recursive Functions and Predicates 

In the language of arithmetic we include symbols for all the primitive recursive functions 
and predicates in arithmetic. We briefly recall their definition. 

We only consider arithmetical functions, that is, functions from the natural numbers to 
the natural numbers, which we denote with N. These functions take n arguments for some 
natural number n and are called «-ary. We use the metavariables f("\g( n \h^ for ra-ary 
functions. 
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Primitive recursive functions are defined by induction. The basic primitive recursive 
functions are the following: 

the constant function the 0-ary constant function 0, 

the successor function the 1-ary successor function succ, which returns the successor of its 
argument, 

the projection functions for every n > 1 and each i with 1 < i < n, the ra-ary projection 
function P", which returns its i-th argument: 

" i \X\, • • • > X n ) — %i- 

More complex primitive recursive functions can be obtained by combining basic or pre- 
viously defined primitive recursive function. Given the primitive recursive functions g (n \ 
h\ , . . . , h™ and /i (<:+2 \ we can define new primitive recursive functions in two ways: 

composition the composition of g with h\,...,h n , i.e. the m-ary function: 

comp(g, hi , . . . , h„) = g(hi (xi , . . . , x m ), . . . , h n (x\ , . . . , x m )), 

is primitive recursive; 

primitive recursion the (k + l)-ary function recgh is defined as the primitive recursion of 
g and h, i.e. the function: 

recgh(0, x\, . . . , x k ) = g{x\ ,..., x k ), 
recgh(succ(y), x\ , . . . , x k ) = h(y, rec(y, x\,..., x k ), x\,..., x k ), 

is primitive recursive. 

Now we can define primitive recursive predicates by saying that they are the predicates 
whose characteristic function is a primitive recursive function. More precisely an ra-ary 
predicate p is primitive recursive if and only if there is a primitive recursive f n) such that: 

p(x\ , . . . , x n ) if and only if f(x\ , . . . , x n ) - 1 , 

for any x\,. . .,x n eM. 
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2.1.2 The Language of Arithmetic 

In this subsection we define the language of first-order arithmetic. 

Let {f n } n eM and {H n } ne n be two indexed sets of non-logical symbols. We assume that 
T n contains symbols for all and only the primitive recursive (total) functions of arity n, that 
is, functions in N n — > N. Compare our language with the language of Primitive Recursive 
Arithmetic (PRA) [22]. Since we have induction on quantified formulas, unlike in PRA, in 
principle we only need to define zero constant, the successor function, addition and multi- 
plication (see [17, p. 155]). However, we prefer a richer language with symbols for all the 
recursive functions and relations, because it is simpler to use. 

Similarly we assume that H n contains symbols for all and only the primitive recursive 
relations of arity n, that is, subsets of N". We use the metavariables p n ',g^ n \ hr 1 ' for function 
symbols and p( n \q("\ r^ for relation symbols, omitting the superscript when we do not need 
it. 

The 0-ary symbols are called constants. We assume that some standard symbols are 
present: 



To 







n n 



succ +, - 



%) n 2 



T,X = ,<,< 



For the sake of readability we informally write n instead of succ" and we shall use the infix 
notation for binary functions and relations. 

Let *V be an enumerable set of variable symbols. We use the metavariables x,y,z for 
variable symbols. 

We use the metavariable t for arithmetic terms, which are defined as: 

f-x\f in Xh,...,t n ) 
We use the metavariables P, Q, R for atomic formulas, defined as: 

P::=p (n \t l ,...,t n ) 
Finally, we use the metavariables A, B, C for (well formed) formulas, defined as: 

A ::= P | B A C | B V C | B -» C | Vx. B \ 3x. B 
The entire grammar is given more concisely in Table 2.1. 
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Table 2.1: The language of first-order arithmetic. 





Metavariables 


Definition 


function symbols 


fin) „(n)^W 


elements of ^ 


relation symbols 


„(«) rt('j) ?r (n) 


elements of *??„ 


arithmetic variables 


x,y,z 


elements of *V 


arithmetic terms 


t 


t"=x\f n \h,...,tn) 


atomic formulas 


P,Q,R 


P::=p^(t u ...,t n ) 


formulas 


A,B,C 


A::=P\BAC\BVC\ 
\B^C\Vx.B\3x.B 



We write *[xi, ... ,x n '■= h, . . . , t n ] for the simultaneous substitution of the variables 
x\, . . . ,x n with the terms t\,...,t n in the expression * (a term or a formula). 
We use a compact notation for bounded quantification on natural numbers: 

Vx < t. A stands for Vx. x < t -> A, 
3x < t. A stands for 3x. x<thA. 

The language of first-order arithmetic is the language of both Heyting Arithmetic and 
Peano Arithmetic. 



2.1.3 Reduction on Arithmetic Terms 

In this subsection we introduce a reduction on arithmetic terms. Since arithmetic terms are 
build from recursive primitive functions, we can transform the equations defining them into 
reductions in a natural way. 

A term t is a numeral if it is either or succ" for some numeral u. We consider numerals 
as the basic arithmetic terms, so we do not reduce them. 

Consider a term t build by composition, for instance: 

fih, ■ ■ ■ ,t{,. . .,t n )- 
The first option is to reduce one of the arguments: for any < i < n, if f; reduces to t'., then 

f(t u ...,ti,. ..,/■„) -»/(fi... .,/:,. ..,t„). 
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The second option is to reduce the whole term. In this case which reduction we use depends 
on how the primitive recursive function denoted by / is defined. As we said, if / denotes 
zero or the successor function, it does not reduce. If / denotes a projection function P'f, then 
it reduces as follows: 

/(fi,...,f„)-»f,-, 

exactly as in the definition of P". If / denotes the composition of functions whose symbols 
are g, h\, . . . , h n , then it reduces as follows: 

comp{g, h\,... h n ) = g(hi(h, ..., t m ), ..., h n (t u . . . , t m )). 

If/ the primitive recursion of two other functions whose symbols are g and h, then / reduces 
as follows: 

f(0,t u ...,tk)^>g(h,...,tk), 
/(succ(w), t\ , . . . , tk) — > h(u, rec(u, t\ , . . . , tk), ?i , • • • , tk), 

depending on the form of the first argument. 

We basically described how to compute primitive recursive functions. This reduction is 
strongly normalizing and the normal form is unique. In the case of closed term the normal 
form is a numeral. 

We can extend this reduction from terms to formulas, by reducing the terms contained 
in a formula. Strong normalization and uniqueness are preserved. 

2.1.4 Axioms and Rules of Intuitionistic Logic 

In this subsection we describe natural deduction as a notation for formal proofs and the 
axioms and the rules of intuitionistic logic with equality. 

A derivation is a formal diagram that describes a proof. We write derivations in natural 
deduction, that is, as labeled trees of annotated formulas, with the requirement that the any 
subtree conforms to one of a number of patterns called rules of inference or simply rules. An 
annotated formula consists of a formula, the name of the rule it conforms to and an unique 
label. In a proof tree the same formula can and often does appear in more than one place. 
Similarly a rule can be applied many times. In order to distinguish these multiple instance, 
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when reasoning about the structure of a derivation we speak about formula occurrences and 
rule instances. 

We draw derivations with the root at the bottom. The top formulas of the tree are axiom 
instances if they are derived from a rule with no premisses, discharged assumption instances 
if they are discharged by a rule instance below them or open assumption instances if they 
are not. 

In an elimination rule the premiss containing the logical operator being eliminated is 
called the major premiss; the other premisses are called minor premisses. We follow a 
common convention in writing rules and place the major premiss in the leftmost position. 
For introduction and atomic rules we consider all premisses to be major premisses. 

We call a rule atomic when its assumptions and conclusion are all atomic formulas. We 
call atomic axiom an atomic rule without premisses. 

There are two notations for natural deduction that differ on how they represent open 
assumptions. For instance, consider the implication introduction rule written in two ways: 

[A] a 

■ Y,a:AhB 

1 A^B 

We say that the leftmost rule is written in Gentzen's style and the rightmost one in sequent 
style. In the Gentzen's style rule the open assumption A is inside square brackets with a 
superscript label a to show that it is discharged by the rule also labeled with a. Note that 
labels are essential: if we remove them we may not know which rule instance discharges an 
occurrence of an open assumption. 

In the sequent style rule all the open assumptions a formula depends on are in the list 
(metavariable T) of couples of labels and formulas that precedes the symbol h The fact 
that the rule discharges an open assumption A is clear from the fact that A is in the open 
assumption list of the premiss and is not in the list of the conclusion. 

The simplest rule is the identity rule, that shows how to use an open assumption: they say 
that if we assumed a formula A we can derive A, whence the name. When using Gentzen's 
style it is usually left implicit, but it needs to be written in sequent style. We give both 
versions: 



M ff id 



Id — j—, ThA 
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where T contains a : A for some label a. 

We can now present the rules of minimal logic, a subset of intuitionistic and of classical 
logic. It consists of ten rules, one introduction rule and one elimination rule for each of the 
five logical connectives. They are listed in Gentzen's style in Figure 2. 1 and in sequent style 
in Figure 2.2. The usual restrictions apply to rules VI and 3E: in VI we assume that x is not 
free in any assumption in T; in 3E we assume that x = y or y is not free in A and y is not free 
in any assumption in T. 

Figure 2.1: Rules for minimal logic, in Gentzen's style natural deduction. 



Al 



B 



AAB 



VlR-r4^ VI L B 



AVB 



AV B 



a 



[A] a 



B 



VI 



A^B 

A 



Vx.A 



31 



A[x := t] 
3x.A 



AE R ^A1. aE l AaB 



B 



[A\ a [B] a 



VEt 



a 



AVB C 




C 


C 






r A ^ B 


A 




-»E B 






VE J X - A , 







A[x := t] 



3E 



a ■ 



3x.A 



[A[x := y]] a 



C 



C 



Intuitionistic logic has all the rules of minimal logic with the addition of the ex falso 
quodlibet rule: 

±E^ 



which can be thought of as an elimination rule for the atomic formula _L. For technical 
reason we prefer to have atomic rules when possible, so instead of the J_E rule we consider 
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Figure 2.2: Rules for minimal logic, in sequent style natural deduction. 



Al 



ThA 



ri-s 



VIr 



ThAAB 



ThA 
Tl-Avfi 



VE L 



T, o-jt+i : A h B 
T\-A^B 



VI 



ThA 



r h Vx. A 



31 



T h A[x := t] 
T h 3x. A 



AE R 



ThAAg 
ThA 



AE L 



ThAAg 

n- b 



VI L 



n-Avs 



ThAvB T,a M :A\-C T,a k+l :B\-C 



T\-C 



ThA^B 



ThA 



3E 



VE 



T h 3x. A 



T\-B 



r h Vx. a 

r h A[x := t] 

T,a k+ i : A[x := y] h C 
ThC 



its restricted version, where the conclusion can only be an atomic formula: 



±E 



_L 



Then j_Eo is an atomic rule. The ±E rule is admissible given the J_Eo rule. It is easy to prove 
by induction on the structure of the conclusion of the J_E rule. For instance we can prove 
A = P -> Q from _L: 

_L 



±E 



Q 



Q 



First-order logic always assumes the existence of a binary relation symbol = and axioms 
and rules defining it as an equivalence relation compatible with functions and relations. 
These axioms and rules are given in Gentzen's style in Figure 2.3 and in sequent style in 
Figure 2.4. Note that they are all atomic. 
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Figure 2.3: Rules for the equality predicate, in Gentzen's style natural deduction. 



Refl 



t = t 



Sym 



t = u 
u-t 



Trans 



t = U U = V 



t = V 



Sub r 



t\ = U\ 



tfi — u n 



Sub<R 



fi n \h,...,t n )=f<- n \ui,...,Un) 

h=_ui ... t„ = u n p (n \ti, . . . ,t n ) 
p {n \ui,...,u n ) 



Figure 2.4: Rules for the equality predicate, in sequent style natural deduction. 



Refl 


Yht = 


t 


Sym 


r\-t = 

Y h u - 


: U 
= t 


Trans 


— u 

Y^t 


Y h U = V 

= V 






Sub r 


Th 


Th t\ 

f (n \h, 


= U\ 
..,/■„) = 


tfi — u n 
--f n \uu... 


Un) 






Sub^ 


Th t\ 


= U\ 




t n — u n 


Y h p (n) 


(h,... 


tn) 






r> 


p {n \ui 


..., u n ) 







2.1.5 Axiom and Rules of Arithmetic 

In this subsection we present the axioms and the rules of Heyting Arithmetic (HA). 
The rules defining the functions symbols succ, + and • are in Figure 2.5. 

Figure 2.5: Axioms and rules for the successor, addition and multiplication, in Gentzen's style 
natural deduction. 



Zero 



succ? = 



Succ 



succ? = succ(m) 
t-u 



Add 



Multn 



t + = t 



t = 



Add. 



succ 



Mult, 



t + succ(w) = succ(0 + u 



t • succ(m) = t • u + t 
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Induction 

The last rule we need to add to have the full HA is induction. Induction can be thought of as 
the requirement that any natural number can be written as succ(. . . (succ(0))). In first-order 
logic is usually expressed by saying that, for any formula A, if A(0) holds and A(x + 1) holds 
whenever A(x) holds, then A holds for any natural number. Induction has many different but 
equivalent formulations and it can be written as either an axiom or a rule. The most common 
formulation is the following induction axiom schema: 

A[x := 0] A (Vx. A -> A[x := succ(x)]) -> Vx. A, 

where A is any formula. This axiom can be written as the induction rule in Gentzen's style: 

[AT 

A[x := 0] A[x := succ(x)] 
Ind V^A " 

or in sequent style: 

T h A[x := 0] T, a : A h A[x := succ(x)] 

Ind r — w — a a - 

T h Vx. A 

An related axiom is complete or course-of-values induction, which states that if A(x) 
holds whenever A(y) holds for all y < x then A holds for any natural number. The axiom for 
complete induction is written as: 

(Vy < x. A[x := y]) -» Vx. A 

While this axiom appear to be stronger than the induction axiom we just defined, it is actually 
equivalent. This can be seen by considering the standard induction rule for the formula 

B = Vy <x. A[x :=y]. 

For more details see [21, p. 213]. 

We can write a rule for complete induction in Gentzen's style: 

[Vy < x. A[x := y]] a 
CInd ^A-" 
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or in sequent style: 



T,a: Vy < x. A[x := y] hA 

CInd tVvxTa a - 



Now we have all the ingredients we need in order to define Heyting Arithmetic, the 
standard intuitionistic theory of arithmetic. 

Definition 1 (Heyting Arithmetic). Heyting Arithmetic ( HA) is defined as the first-order 
logic theory whose language is the language of arithmetic and whose axioms and rules are 
the following. ■ 

• the identity rule, 

• the rules of minimal logic, 

• the rule for ex f also quodlibet restricted to atomic formulas, 

• the axiom and rules for equality, 

• the axiom and rules for successor, addition and multiplication, 

• any one of the axioms and rules for induction or complete induction. 

2.1.6 Axioms for the Law of the Excluded Middle 

In this subsection we introduce a hierarchy of axiom schemes that are restrictions of the law 
of the excluded middle, taken from [1], We refer to the same work for explanations and 
proofs of our claims in this subsection. 

We define a purely syntactical version of the usual classification for formulas in prenex 
normal form in arithmetic. 

Definition 2 (Syntactical Arithmetical Hierarchy). We define the following classes of formu- 
las by induction on n: 

• n{j and SJj are the set of the quantifier free formulas, 

• nj' +1 is the set of the formulas Vx. A where A € E„, 

• 2° . is the set of the formulas Vx. A where A € 11^. 
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We do not require closure for logical equivalence and thus the definition of n° and S° 
is purely syntactical. Since the negation of a formula in prenex normal form is not in 
prenex normal form we define the following negative conversion, which we call the dual of 
a formula: 

3x.B^ ifA = Vx. fieri", 
Vx.B^ if A = a*, fi e X°, 

-A ifAelTJJ. 

Note that if A is a 11° (resp. E°) formula then A" is a 2° (resp. iTjj) formula. Moreover A" is 
classically equivalent to -A and intuitionistically stronger than -A, except when A is a n[J 
formula, in which case it is equivalent to -A. 

The law of the excluded middle says that any statement is either true or false. More 
precisely, it says that either a statement is true or its negation is true. This is intuitionistically 
equivalent to the fact that either a statement is true or its dual is true. We define a sequence 
of restricted forms of this law. 

Definition 3 (Restricted Excluded Middle Axiom Schemas). For any n e Nat, we define the 
limited law of the excluded middle EM„ as the axiom schema: 

A^VA, (EM„) 

where A is a 1,® formula. As a limit case we define EMoo where A is a II® formula for any n. 

By adding EMoo to intuitionistic logic we get classical logic, so by adding EMoo to Heyt- 
ing Arithmetic we get Peano Arithmetic, the theory of classical arithmetic. We can also 
produce many intermediate logics by adding EM„ to Heyting Arithmetic, which we write as 
HA + EM„. Note that EM is true in Heyting Arithmetic, so HA + EM is simply HA. 

2.2 A Simply Typed /l-Calculus for Realizability 

In this section we introduce system T', a simply typed i-calculus variant of Godel's system T 
in which we shall write our realizers. System T will be more convenient for our purposes in 
order to get a more straightforward translation of monads and related concepts from category 
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theory. There are two main differences between our system T and system T . The first 
one is that we replace the boolean type with the more general sum (or co-product) type. 
The second one is that the recursion operator uses complete recursion instead of standard 
primitive recursion. 

We begin by defining the types. We shall use the metavariables X, Y and Z for types. We 
assume that we have a finite set of atomic types that includes the unit type Unit and the type 
of natural numbers Nat. Moreover we have three type binary type constructors — >, x, +. In 
other words, for any types X and Y we have the arrow (or function) type X — > Y, the product 
type X x Y and the sum (or co-product) type X + Y. 

We can now define the typed terms of the calculus. We assume that we have a countable 
set of typed term constants that includes the constructors and the destructors for the unit, 
natural, product and sum types (listed in Figure 2.6) and a countable set of variables of type 
X for any type X: 

xq : X, . . . , x n : X, . . . . 

We use the metavariables x, y, z for terms. Moreover for any two terms x : X and y : X — > Y 
we have a term yx : Y and for any variable x : X and term y : Y we have a term Ax. y : X — > Y. 
In order to avoid a parenthesis overflow, we shall follow the usual conventions for writing 
terms and types. For terms this means that application and abstraction are respectively left 
and right-associative and that abstraction binds as many terms as possible on its right; for 
types it means that x and + are left-associative and associate more closely than — >, which is 
right-associative. We also omit outer parenthesis. For example: 

X^Y ^XxYxZ stands for {X -» {Y -> ((X xY)x Z))), 
Ax x .Ay Y .Az z .tit 2 t 3 stands for (Ax x .(Ay Y .(Az z .((t\t2)h)))). 

We define some reduction relations, that is, binary relations between terms: 

(Ax .t)a — >g t[x := a], 
prL' F (pair X ' F ab) -^ x a, case^^in^' 7 a)fg -^+ fa, 
pr£ F (pair X ' F ab) ^ x b, case X ' y ' Z (in*' y b)fg ^ + gb, 

/zmfcrec^/j) ifm<«or« = oo, 
crec„ hm — ># < 

(dummy 2 otherwise, 
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Figure 2.6: Constructors and destructors 



* : Unit, 

pair*' 7 :X^Y ^XxY, 

pr* y :XxY ^X, pr* y : X x Y -* Y, 

in* 7 : X -* X + Y, in* y : Y -» X + Y, 

case* 7 ' 2 : X + Y -> (X -» Z) -» (7 -> Z) -> Z, 

zero : Nat, succ : Nat — > Nat, 
crec z : (Nat -> (Nat -> Z) -» Z) -» Nat -» Z. 

where n is a natural number or the symbol oo. /« order we have the constant constructor of type Unit, 
//ie constructor and the two destructors of the product types, the two constructors and the destructor 
of the sum types and the two constructors and the destructor of the natural type. Most of those are 
actually "parametric polymorphic" terms, that is, families of constants indexed by the types X, Y and 
Z. 
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where a : X, b : Y, c : Z, f : X -> Z, g : Y -> Z and h : Nat -> (Nat -> Z) -> Z. Note that 
we use c as a dummy term of type Z 1 . Then we set the reduction relation — > to be the union 
of — >jg, — >x, — >+ and — >r. Also let ~» be the transitive and reflexive closure of — >. 

We explain the reduction given for crec, since it is not the standard one. The difference is 
due to the fact that crec is meant to realize complete induction instead of standard induction. 
In complete induction, the inductive hypothesis holds not only for the immediate predecessor 
of the value we are considering, but also for all the smaller values. 

Similarly, crec allows us to recursively define a function / where the value of f(m) de- 
pends not only on the value of f(m — 1) but also on the value of /(/), for any I < m. Thus, 
when computing crecf hm, instead of taking the value of crec^ h(m — 1) as an argument, h 
takes the whole function crecf h. In order to avoid unbounded recursion, we add a guard 
n that prevents crecf h to be computed on arguments greater or equal to n. More precisely 
crec^ hm only reduces to hm(crecf n h) if m < n; thus, even if h requires crec^ h to be com- 
puted on many values, the height of the computation trees is bound by m 2 . Naturally, a 
"good" h should not evaluate crec^ h on values bigger than m, but in any case the guard 
guarantees termination. The symbol oo acts as a dummy guard, which gets replaced with an 
effective one when crec^, h is evaluated the first time. 

We shall also need the following equivalence relations between terms: 

Xx x .t - a Ay x .t[x := y], (ar-conversion) 

(//-conversion) 
(x-conversion) 
(+-conversion) 

for all terms t, c : X xY and d : X + Y. Again we set the equivalence = to be the union of 





Ax x .tx 


~>i 


t, 


pair X ' y (prL' 7 . 


c)(p^ Y c) 


= x 


c, 


case ' ' a 


< Y < Y 


— + 


d, 



1 As long as the base types are inhabited, we can define an arbitrary dummy term dummy for any type X: 

dummy Unit = *, dummy Nat = 0, 
dummy x ^ r = /L*.dummy r , dummy Xxy = pairdummy x dummy r , dummy* +r = in L dummy*. 

2 Unlike in standard primitive recursion, where the computation always comprises m steps, in course-of- 
values primitive recursion the computation can actually be shorter if h "skips" values. 
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It is easy to see that the boolean type and the related terms true, false and ite in system T 
can be defined in system T . The reverse is also true, that is, we can define sum types and 
terms iriL, iriR and case in system T. We show how to interpret the boolean type and related 
constants of system T in our system. 

Bool = Unit + Unit, 

true = iriL* false = iriR*, 

ite x = Ab Bool .Ax x .Ax x . case b(Ay nii .x)(Ay nii .x). 

We assume that X and Y are inhabited, that is, that there exist terms xq : X and vo : Y. Then 
we can interpret the sum type and related constants in system T: 

X+Y = Bool x {X x F), 



in 



xj 

L 



Ax x . pairtrue(pairxvo), 
in R ' = /lv y .pairfalse(pair^o) ; ), 



case X ' F ' Z = Ab Boolx(Xx¥) .Af x ^ z .Ag Y ^ z . ite(pr L ^)(/(pr L (pr R ft)))te(pr R (pr R b))). 

System T shares most of the good properties of Godel's system T, in particular conflu- 
ence, strong normalization 3 and a normal form property. 



3 Strong normalization is a consequence of the explicit bound on recursion given by the subscript in the 
recursion constant. 



Chapter 3 

A Monadic Framework for 
Interactive Realizability 



In this chapter we give a new presentation of interactive realizability with a more explicit 
syntax. 

Monads can be used to structure functional programs by providing a clean and modu- 
lar way to include impure features in purely functional languages. We express interactive 
realizers by means of an abstract framework that applies the monadic approach used in func- 
tional programming to modified realizability, in order to obtain more "relaxed" realizability 
notions that are suitable to classical logic. In particular we use a combination of the state 
and exception monads in order to capture the learning-from-mistakes nature of interactive 
realizers at the syntactic level. 

3.1 Introduction 

As we have already remarked in the preface, the Curry-Howard correspondence was origi- 
nally discovered for intuitionistic proofs. This is not coincidental: the type systems needed 
to interpret intuitionistic proofs are usually very simple and natural, as in the case of Heyt- 
ing Arithmetic and System T (see [10]). While classical proofs can be transformed into in- 
tuitionistic ones by means of the double-negation translation and then translated into typed 
programs, the existence of a direct correspondence was deemed unlikely until Griffin showed 
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otherwise in [12]. 

Starting with Griffin's, other interpretations extending the Curry-Howard correspon- 
dence to classical logic have been put forward. Griffin uses a "typed Idealized Scheme" 
with the control construct call/cc, that allows access to the current continuation. In [19], 
Parigot introduces the /(//-calculus, an extension of lambda calculus with an additional kind 
of variables for subterms. In [16], Krivine uses lambda calculus with a non-standard seman- 
tics, described by an abstract machine that allows the manipulation of "stacks", which can 
be thought of as execution contexts. 

All these different approaches seems to suggest that, in order to interpret classical logic, 
we need control operators or some syntactical equivalent thereof. This could be generalized 
in the idea that "impure" computational constructs are needed in order to interpret non- 
constructive proofs. Monads are a concept from category theory that has been widely used 
in computer science. In particular, they can be used to structure functional programs that 
mimic the effects of impure features. 

In [18], Moggi advocates the use of monads as a framework to describe and study many 
different "notions of computation" in the context of categorical semantics of programming 
languages. A different take on the same idea that actually eschews category theory com- 
pletely is suggested in [26] by Wadler: the definition of monad becomes purely syntactic 
and is used as a framework to structure functional programs by providing a clean and modu- 
lar way to include impure features in purely functional languages (one noteworthy example 
is I/O in Haskell). 

The main idea of this work is to use monads as suggested by Wadler in order to structure 
programs extracted from classical proofs by interactive realizability. A program extracted 
by means interactive realizability, called interactive realizer, can be thought of as a learning 
process. It accumulate information in a knowledge state and use this knowledge in order 
to "decide" the instances of EMi used in the proof. Since these instances are in general 
undecidable, the realizer actually makes an "educated guess" about which side of an EMi 
instance is true by looking at the state. Such guesses can be wrong. 

This can become apparent later in the proof, when the guessed side of the EMi instance 
is used to deduce some decidable statement. If this decidable statement turns out to be false, 
then the guess was wrong and the proof cannot be completed. In this case the realizer cannot 
produce the evidence required for the final statement and fails. However failure is due to the 



3.1. Introduction 19 

fact that we made a wrong guess. We can add this information to the state, so that, using 
this new state, we will be able to guess the EMi instance correctly. At this point we discard 
the computation that occurred after the wrong guess and we resume from there. This time 
we guess correctly and can proceed until the end or until we fail again because we guessed 
incorrectly another EM i instance. 

There are three "impure" parts in the behavior we described: the dependency on the 
knowledge state, the possibility of failure to produce the intended result and the backtracking 
after the failure. In this work we use a monadic approach to describe the first two parts which 
are peculiar to interactive realizability. We do not describe the third part, which is common 
also to the other interpretations of classical logic. 

This chapter is an account of interactive realizability where interactive realizers are en- 
coded as /1-terms following the monadic approach to structuring functional programms sug- 
gested by Wadler. We shall prove that our presentation of interactive realizability is a sound 
semantics for HA + EMi. 

3.1.1 Main Results 

In our presentation, interactive realizer are written in a simply typed /l-calculus with prod- 
ucts, coproducts and natural numbers with course-of-value recursion, extended with some 
abstract terms to represent states and exceptions. The peculiar features of interactive real- 
izability, namely the dependency on the knowledge state and the possibility of failure, are 
explicitly computed by the /l-terms encoding the realizers. Thus the computational behavior 
of interactive realizers is evident at the syntactic level, without the need for special seman- 
tics. 

While proving the soundness of HA + EMi with respect to our definition of interactive 
realizability, we observed that the soundness of HA did not require any assumption on the 
specific monad we chose to structure interactive realizers (while the soundness of EM i re- 
quires them as expected). Prompted by this discovery, we split the presentation in two parts. 

The former is an abstract monadic framework for producing realizability notions where 
the realizers are written in monadic style. We prove that HA is sound with respect to any 
realizability semantics defined by the framework, for any monad. 

The latter is an application of this abstract framework to interactive realizability. We 
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define a specific monad which we use to structure interactive realizers and a class of realiz- 
ability semantics that 

our definition of interactive realizability can be generalized to an abstract realizability 
notion where the monad is a parameter. We call this family of realizability notions monadic 
realizability and we show that all instances of monadic realizability are sound semantics 
for HA. Our interest is in concrete monadic realizability notions that can realize classical 
principles beyond HA. Another motivation is that in the proof of the soundness of HA + EM i 
with respect to interactive realizability semantics, we take advantage of the special properties 
of the interactive realizability monad just to prove the soundness EMi, while for the rest of 
HA we just need some generic properties on the semantics which require no assumption on 
the monad we are considering. 



3.1.2 Related Works 

This work builds on the presentation of interactive realizability given in [2] by Aschieri and 
Berardi. The main contributions with respect to [2] is a more precise description of the 
computational behavior of interactive realizer. This is explained in more detail at the end of 
this chaper. 

Monads have first been used to describe interactive realizability by Berardi and de'Liguoro 
in [7] and [4], where interactive realizers for PRA + EMi are given a monadic categorical se- 
mantics following Moggi's approach. While our idea of using monad to describe interactive 
realizability was inspired by [7], our work is mostly unrelated: our use of monads follows 
Wadler's syntactical approach and we employ a different monad that emphasizes different 
aspects of interactive realizability. 



3.2 Monadic Realizability 

This section contains the abstract part of our work. We describe the abstract framework of 
monadic realizability and show the soundness of HA with respect to the semantics induced 
by a generic monad. 
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3.2.1 The Monadic Realizability Semantics 

In this subsection we define monadic realizability. We state the properties that a suitable 
relation must satisfy in order to be called a monadic realizability relation and we show how 
such a relation induces a (monadic) realizability semantics. Then we describe the proof 
decoration procedure to extract monadic realizers from proofs in HA. Here we are only 
concerned with proofs in HA, for a non-trivial example of a monadic realizability notion see 
interactive realizability in Section 3.3. 

We start by introducing a syntactic translation of the concept of monad from category 
theory. Informally, a monad is an operator 7$rt "extending" a type, with a canonical embed- 
ding from X to T%i(X), a canonical way to lift a map from X to T%r(Y) to a map from T%i(X) 
to T%n(Y), a canonical way of merging an element of T%n(X) and an element of Tyn(Y) into 
an element of T<$r(X x Y). We also requires some equations relating these canonical maps, 
equations which are often satisfied in the practice of programming. 

Definition 4 (Syntactic Monad). A syntactic monad Wl is a tuple (7®;, unttgjt. stars);;, merge^) 
where T<$r is a type constructor, that is, a map from types to types, and, for any types X, Y, 
unttaj), starsjji and merges^ are families (indexed by X and Y) of closed terms: 



unit* 


: X — > TyjiX, 


star* 7 


: (X -» T m Y) -» (T m X -» T m Y), 


merge* 7 


:T m X^T m Y^T m (XxY), 



satisfying the following properties: 

star** imtt*^ t ~» x, (Ml) 

star* r /(untt*x)^/x, (M2) 

merge* y (umt* x)(untt* y) ~» unit* xF (pa/r X ' r xy), (Mi) 

for any x : T^X, f : X — > T^Y, g : Y — > T%rZ, x '■ X and x : Y. 

The terms imitgj} and starar; and Properties Ml and M2 are a straightforward translation 
of the definition of Kleisli tripe in category theory, an equivalent way to describe a monad 1 . 



This part of the definition follows the one given by Wadler in [26], with the difference that we replace the 
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Term merges^ and Property M3 are connected to the definition of strong monad: merges);; 
is the syntactical counterpart of the natural transformation <p, induced by the tensorial strength 
of the monad (see [18] for details). While satisfies several other properties in [18], Prop- 
erty M3 is the only one we need for our treatment. 



Example 1. The simplest example of syntactic monad is the identity monad 3<i, defined as: 



T% d X = X, unit frf = ^x x .x, 

star* 7 = Af x ^ Y .f, merged = P^ J ■ 



This monad cannot describe any additional computational property besides the value a term 
reduces to. 



Example 2. A simple but non-trivial example is the exception monad Ccx It describes com- 
putations which may either succeed and yield a (normal) value or fail and yield a description 
of the failure. Consider the usual predecessor function pred : Nat — > Nat on the natural num- 
bers: since zero has no predecessor it is common to define predO as zero. Instead with (£x 
we could have pred fail and yield a string 2 saying "zero has no predecessor". 

Let Ex be a new ground type and let merge : Ex — > Ex — > Ex be a new constant term. 
We think terms of type Ex as descriptions of failures and we call them exceptions. We think 
of merge as an operation that merges the information of multiple exceptions when there are 



term btrtb with star 9Ji , where 



bittb* y : T m X -» (X -* T m Y) -» T m Y. 



Defining star.jjj and binb in terms of each other is straightforward: 



bmb x,! ' = Ax TmX .Af x ^ T -»< r . stax m fx, 



star*f = Af x ^ TmY M TmX .binb xf. 



The term star 9Ji corresponds directly to the operator _* in the definition of Kleisli triple. 
2 assuming we had strings in our calculus 
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multiple failures in a computations. Now we can define the syntactic monad (£x as: 

T &X X = X + Ex, unttg x = Ax x . inf Ex x, 
star* 7 = ^ y+Ex .,lx x case X ' Ex - y+Ex */ /nf, 
merged = ^ +Ex .V +Ex . case z ' Ex - ( * xy)+Ex * 

(ix* case yEx ' (Xxy ) +Ex 9 ( A/. /^^(pa//* 7 *y)) /nf yEx ) 

(ie Ex . caS e yEx ' (Xxy)+Ex r,(V- /nf yEx e { ){Aef. inf yEx merger)). 



We om/l ?/ie proof that Ex w a syntactic monad. 

A realizability relation is a binary relation between terms and closed formulas. When 
a term and a formula are in such a relation we shall say that the term realizes the formula 
or that the term is a realizer of the formula. The intended meaning is that a realizer of a 
formula is the computational content of a proof of the formula. 

We proceed towards the definition of a family of realizability relations, which we call 
monadic realizability relations. Any monadic realizability relation is given with respect to 
some monad 9JI and determines a particular notion of realizability where realizers have the 
computational properties described by the monad. In the rest of this section we shall assume 
that 9JI = (Tan, unttjii, storsy;, merge^) denotes any fixed syntactic monad. 

We now define the type of the monadic realizers of a formula. The idea is to take the 
standard definition of the type of intuitionistic realizers of a formula A and to apply Tyn only 
to the type X of the whole formula A and to the types appearing in X after an arrow, namely 
the types of consequents C of implication sub-formulas B — > C in A and the types of bodies 
B of universal quantified sub-formulas Vx. B in A. This is the standard call-by-value way to 
treat arrow types in a monadic framework explained in [25] . 

Definition 5 (Types for Monadic Realizers). We define two mappings \\-\\m and |-|<oj from 
formulas to types by simultaneous recursion. The first is the outer or monadic typing of a 
formula A: 



IIAlb - T m \A\ 



■UN 
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and the latter is the inner typing, defined by induction on the structure of A: 

\P\ m = Unit, |B A C\ m = \B\ m x \C\ m , 

\B V C\ m = \B\ m + ICIst, \3x. B\ m = Nat x \B\ W , 

\B -» C\ m = \B\ m -» Hdlat, |Vx. Sb = Nat -» ||B|b, 

where P is an atomic formula and A and B are any formulas. 

Note that, we consider _L to be atomic and ->A to be a notation for A — > _L, so the types 
of their realizers follow from the previous definition. 

As we defined two types for each formula A, each formula has two possible realizers, 
one of type |A|gj{ and one of type ||A||an. The former will follow the BHK interpretation 
like an ordinary intuitionistic realizer while the latter will be able to take advantage of the 
computational properties given by the syntactic monad 9JL A formula (in particular classical 
principles) may have a realizer of monadic type but no realizer of inner type. 

Remark 1. The definition o/IHIan and |-|«oi can be derived from the Curry-Howard corre- 
spondence between formulas and types and from a call-by-name monadic translation for 
types. We define the standard interpretation \-\ that maps a formula into the type of its 
realizers: 

\P\ = Unit, \A A B\ = \A\ x \B\, 

\AVB\ = \A\ + \B\, \A^B\ = \A\ -» |B|, 

|V*. A\ = Nat -> \A\, \3x. A\ - Nat x |A|. 

Next we define a translation H-Jsjji that lifts types to their monadic counterparts: 

MM = Xq, IX -» YM = lXJ m -» TnlYM, 

IX x Yl M = m m x lYJw, IX + YM = lXJ m + mm, 

where Xq is a ground type. The first two clauses are taken from [27] and the other ones are 
a simple extension, based on the idea that products and sums behave like ground types. 
By composition we can define the types for the monadic realizers of a formula: 



\A\ m = [|A|]a», ||A|b = TsudAI 



m- 
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Expanding the definitions we get : 

\P\m = Unit, 
\A A B\ w = l\A\M x l\B\M = \Ah,i x \B\ W , 
\A V B\ w = l\A\M + l\B\M = |A|sk + \B\ W , 
\A -* B\ w = l\A\M -* T m l\B\lm = \A\ m -* T m \B\ m , 
|Vx. A\ w = [Natfa -» TMIBfc - Nat -» T^Afe, 
|3x. Ab - [Natfa x l\B\M = Nat x |A| TO . 

ITu's j's f/ie same translation we described in Definition 5. 

We shall now state the requirements for a realizability relation to be a monadic realizabil- 
ity relation. A realizability relation is to be thought of as the restriction of the realizability 
semantics to closed formulas, that is, a relation between terms of T and closed formulas 
which holds when a term is a realizer of the formula. Since a formula can have realizers of 
inner and outer type, in the following definition two realizability relations will appear: %j 
for realizers of inner type, whose definition is modeled after the BHK interpretation and %jj; 
for the realizers of outer type, which takes in consideration the computational properties of 
the monad S JJJ. 

As a typographical convention we shall use the letters r, p and q for terms of type |A|aR. 
Similarly we shall use r, p and q for terms of type ||A||ar;. 

Definition 6 (Monadic Realizability Relation). Let 5%; be a realizability relation between 
terms of type \\A\\-$i and closed formulas A. Let Rsjj; be another realizability relation between 
terms of type \A\y% and closed formulas A, such that 

• r %; Piffr^ * and P is true, 

• r Rsjjj BACiffpr L r Rsjj; B and pr R r Ryn C, 

• r Rsjj; BvCiffr^* m^a and a R^ B or r ^ iriR b and b Rjr; C, 

• r Rsjji B^Ciffrp SRgjj C for all p : \B\m such that p Rgj; B, 

• r Rsjjj Vx. B iffrn %jj; B[x := n]for all natural numbers n, 
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• r Rsjjj 3x. B iffpr R r R m B[x := pr L r], 

where P is a closed atomic formula and B and C are generic formulas. We consider _L a 
closed atomic formula which is never true (for instance = 1). We shall say that the pair 
(%jji, Rsjjj) is a monadic realizability relation if the following properties are satisfied: 

MR1 ifr Rjjj A then imttsjjj r %jjj A, 

MR2 ifr Rgjj B — > C then starjj; rp 5%; C for all p : ||B||*m such that p %jj; B, 

MR3 ifp %jj; B and q 5%; C f/iera merger pq 9?sjj; B AC. 

We will say that a term r (resp. t) is an inner (resp. outer or monadic) realizer of a formula 
A ifr : |A|sj>( (resp. r : \\A\\ m ) and r R w A (resp. r 5?9jj A). 

When defining a concrete monadic realizability relation, it is often convenient to define 
%jii in terms of Rjj; too, that is, the two relations will be defined by simultaneous recursion 
in terms of each other. 

Note how the properties of the relation Rjj; resemble the clauses the definition of standard 
modified realizability. The main difference is that in the functional cases, those of implica- 
tion and universal quantification, Rjj; is not defined in terms of itself but uses %jj;. This 
makes apparent our claim that the behavior of inner realizers is closely related to the BHK 
interpretation. 

Property MR1 is a constraint on the relationship between %jj; and Rjj;. It requires untfcjj; 
to transform inner realizers into monadic realizers, which can be thought as the fact that 
realizers satisfying the BHK interpretation are acceptable monadic realizers. Property MR2 
again links Rjj; and %jj;, this time through storjj;. It says that, if we have a term that maps 
inner realizers into monadic realizers, its lifting by means of starjj; maps monadic realizers 
into monadic realizers. Property MR3 is a compatibility condition between mergejj; and 
9?ajj. These conditions are all we shall need in order to show that any monadic realizability 
relation determines a sound semantics for HA. Later we shall see how particular instances 
of monadic realizability can produce a sound semantics for more than just HA. 

Example 3. We continue our example with the identity monad 3d by defining a monadic 
realizability relation. We define St^y and R%d by simultaneous recursion, with R^ defined in 
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terms of^i^d as m Definition 6 and 5%^ defined as R3J, which makes sense since ||A||3^ = 
|A| 3d . 

We can now define the monadic realizability semantics for a given monadic realizability 
relation, that is, we say when a realizer validates a sequent where a formula can be open and 
depend on assumptions. In order to do this we need a notation for a formula in a context, 
which we call decorated sequent. A decorated sequent has the form Y ll-gjj r : A where A is a 
formula, r is a term of type \\A\\%n and T is the context, namely, a list of assumptions written 
as a 1 : A 1 , . . . a k : A k where A\ , . . . , A k are formulas and a>\ , . . . , a k are proof variables that 
label each assumption, that is, they are variables of type |Ai|gjj, • • ■ , \Ak\m- As we did with 
the syntactic monad 9JJ, in the following we shall assume to be working with a fixed generic 
monadic realizability relation 9?gjj. 

Definition 7 (Monadic Realizability Semantics). Consider a decorated sequent: 

a\ : A\,...,a k : A k \\- m r : B, 

such that the free variables of B are x\,...,xi and the free variables of r are either in 
x\,. . . ,xi or in ct\,. . . ,a k . We say that the sequent is valid if and only if for all natural 
numbers m,...,ni and for all inner realizers p\ : \A\\yi, . . . , p k : lA^lan such that 

pi RyftMlxi :=nu...,xi :=n{\ ... p k Ran A k [x\ := n\,...,xi := n{\, 

we have that 

r[xi := m,...,xi := n u a x := p x ,...,a k := p k ] 9?^ A[x\ := n u ...,xi := «/]. 

Example 4. From Definition 7, it follows that the semantics induced by the monadic realiz- 
ability relation 9?3d is exactly the standard semantics of modified realizability. 

Now that we have defined our semantics, we can illustrate the method to extract monadic 
realizers from proofs in HA. Later we shall show how to extend our proof extraction tech- 
nique to HA + EMi . Since proof in HA are constructive, the monadic realizers obtained from 
them behave much like their counterparts in standard modified realizability and comply with 
the BHK interpretation. In Section 3.3 we shall show how to extend the proof decoration to 
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non constructive proofs by exhibiting a monadic realizer of EMi that truly takes advantage 
of monadic realizability since it does not act accordingly to the BHK interpretation. 

In order to build monadic realizers of proofs in HA we need a generalization of stargjj 
that works for functions of more than one argument. We can build it using merges^ to pack 
realizers together. Thus let 

stoi* ' " A>y : (Xi -» • • • -» X k -» T m Y) -» (T m X l -»•.•-» T m X k -» 7^7), 

be a family of terms defined by induction on k > 0: 

star 7 = Af TmY .f, starf y = star*f, 
star, +2 = i/ Zl -•~»^2-r„y iyU Ji Bl x I ^r M z 2 _ gtar^iOfe*** 2 ./(pr L z )(pr R z))(merge w xy). 

For instance: 

star 2 = 4/ x ^ r » z .^» x .V'* y - S tar 5 j i ( / lz Xxy ./(pr L z)(pr RZ ))(merge >JJi xy) 

Moreover we shall need to "raise" the return value of a term / : X\ —>•••—> X k — > Y 
with unttjji before we apply star/;. We define the family of terms ratse^ by means of star^, 
for any k > 0: 

raise* : {X x -» » X fc -» 7) -» (TjrXi -» » T m X k -» r TO y) 

raise* = ^i-»--»^-»Z i s tar fc (^jcf 1 . • • • ixf*. UTtitaR(/xi • • • x*)), 

Now we can show how to extract a monadic realizer from a proof in HA. Let D be a 
derivation of some formula A in HA, that is, a derivation ending with Y \- A. We produce a 
decorated derivation by replacing each rule instance in D with the suitable instance of the 
decorated version of the same rule given in Figure 3.1. These decorated rules differ from 
the previous version in that they replace sequents with decorated sequents, that is, they bind 
a term to each formula, where the term bound to the conclusion of a rule is build from the 
terms bound to the premises. Thus we have defined a term by structural induction on the 
derivation: if the conclusion of the decorated derivation is Y n-gjj r : A then we set D* = r. 

In Figure 3.1, the rule labeled Atm shows how to decorate any atomic rule of HA. By 
definition unfolding, we may check that an atomic rule is interpreted as a kind of "merging" 
of the information associated to each premise. The nature of the merging depends on the 
monad we choose. 
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Figure 3.1: HA rules, decorated with monadic realizers. 



Id . T Hj; ri : Pi ... T \\- m x t : P t 

T Ihsjij ratseo X : A Atm r . , , Unit i Unit n n 

JJC u r ihsjji ratse/(/lyj . • • • /ly ; u . *)ri • • • r/ : P 

T Iham ri : A T ihsjji r 2 : P 
Al ■ 



T 1Kb; ratse 2 pairt*it*2 : A A P 



T IK,;; r : A A B F h m x : A A B 

At -L "FT — ] " 7- AUr 



T ll-50i ratsei pr L x : A T n-sy; ratsei pr R r : B 

r hgt ri : A T ihsj^ r 2 : B 



T ll-3jt ratsei iriL ri : A v P. T il-gn ratsei iriR r 2 : A v P 

r ihspt r : A V B r, a fc+ i : A ih. Jt p : C r, a k+ i : P Hw q : C 

T 11-50, star! (Ay w « +m » . case yOtoJS 1 •P)(^* i .q))r : C 
T, a fc+1 : A ll-sfli r : P T t- m x : A -> P T i-jr p : A 

— > X — > Jh 

T ll-5m ratseoUor^.r) : A -» P r 11-501 star^y'f'^^^^y^.yiy^rp : B 

r 11-aii r : A VE r ihaii r : Vx. A 

T 11-50, rdse (^ Nat .r) : Vx. A T II-50, (stari(iy NaW||A|lffli .yO)r : A[x := f] 

3I r Ihgt r : A[x := f] 

T II-50! raise i(/ly |A|9i . pairfy)r : 3x. A 
r 11-501 ri : 3x. A T,a : A[x := y] ii-sjjj r 2 : C 

-|Jh 

T ihsj;; stari (/ly Natx|A|9Ji .(V at .,la |A| » .r 2 )(pr L y)(pr R y))ri : C 

T, ofc+i : Vz. z < y -» A[x := z] 11-501 r : A[x := y] 

T II-501 raiseo(creCoo /) : Vx. A 

where all formulas in rule Atm are atomic, t is any term and f is defined as follows: 
f = ^t ^Nat-,r in |Ab_ (/la Nat^r„(Unit^r in |Ab)_ r)(/lz Nat_ ra i S e (,l_ Unit ./fe)), 

with (3 not free in r. 



Remark 2. In Figure 3. 1, we wrote all realizers using only raise^ and star,t for the sake of 
consistency, but note that raiseo could have been replaced by unitsp; since it reduces to it: 

ratse =raise ^/ z .staro(unit50i/) 

^ aX0 Af.{Af TmZ .f){ixmi m f) 
-^pAf.umtysif 
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Moreover roise2 pa/r reduces to merge^: 

raise 2 pair = rai5C2 (Af x ^ Y ^ XxY . 5tax 2 (Ax x .Ay Y . unit vl (fxy))) pair 
~^fp star2(/lx x ./lj r . units)) t (pair xy)) 

= sim2 W x ^ Tm(XxY) -*x TmX -*y Tm¥ - 

stax k (Az XxY .f(pr L z)(pr R z))(merge ari xy))(Ax x .Ay Y . imttgj} pa/rxy) 
-^s /tx^./ly 7 ™ 1 '. star a jK'te Zxy .(/i* z ./ly F . unttsj,; pairxy)(pr L z)(pr R z))(merge aK xy) 
-^ /Ix^^./ly 7 ' 3 " 7 . stargftOte^ 7 . un%; pairpr L zpr R zXtnergesy; xy) 
= x Ax TmX .Ay TmY . stary, t (Az XxY . imtt 3Ji z)(merge an xy) 
=^ /Ix^^./iy 7 ™ 7 . stcmjj! unttv0((mergesp( xy) 
-^M2 /lx r9JiX ./ly r9JiF . merger xy 
=, mergegjj, 

so we could replace it in Al. 

Note how the monadic realizer of each rule is obtained by lifting the suitable term in 
the corresponding standard modified realizer with star/; or ratse^. These monadic realizers 
do not take advantages of particular monadic features (it cannot be otherwise since we have 
made no assumption on the syntactic monad or the monadic realizability relation). The main 
difference is that they can act as "glue" between "true" monadic realizers of non constructive 
axioms and rules, for instance the one we shall build in Section 3.3. 

Here we can see that monadic realizability generalizes intuitionistic realizability: dec- 
orated rules in Figure 3.1 reduce to the standard decorated rules for intuitionistic modified 
realizability in the case of the identity monad Zsd. 

3.2.2 The Soundness Theorem 

In this subsection we prove that HA is sound with respect to the monadic realizability seman- 
tics given in Definition 7. This amounts to say that we can use proof decoration to extract, 
from any proof in HA, a monadic realizer that makes its conclusion valid. We prove this for a 
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generic monad, which means that the soundness of HA does not depend on the special prop- 
erties of any specific monad. The proof only needs the simple properties we have requested 
in Definition 6. 

Before proving the main result, we need to show that star* and raises satisfy a general- 
ization of Property MR2. 

Proposition 1 (Monadic Realizability Property for star*)- Let A\, . . . ,A k and B be any for- 
mulas and let r : |Ai|<er —>•••—> \Ak\wi — > ||fi||aji be a term. Assume that, for all terms 
p\ : \Ai\tai, ■ ■ ■ , Pk • lAtb such that p x Rgjj A x , . . . , p k R m A h we have: 

rpi-'-pt^ynB. 

Then, for all terms pi : ||Ai||srj;, . . . ,Pk : \\Ak\hjt such that Pi 5lgjj A\, . . . , p& %jj; A k , we have: 

star* rpi • • • Vk 5R<m B. 

Proof. By induction on k. For k - it is trivial and for k = 1 it follows from Property MR2 
since stati = star^f. Now we just need to prove that if the statement holds for some k > 1, it 
holds for k + 1 too. 

As in the statement we assume that, for all terms p\ : |Ai|ji;, . . . ,pk+\ '■ \Ak+i\w such that 
p\ Rgjj Ai,...,p k+ i Raw Ajt+i: 

rpi---Pk+i KyxB, 

and that pi : \\Ai\\w, . . . , Vk+i • \\Ak+i\\m are terms such that pi %n A\, . . . , p^+i 9t$m A k+ i. 
We need to show that: 

statjt+i rpi • • • p^+i IRto B. 

Since we know by definition of star^+i that statfc+i rpi • • • Pk+i reduces to the term: 

star /t (^z |All9JiX|A2l ».r(pr L z)(pr R z))(merge a ,i PiP 2 )p 3 ■ ■ ■ P*+i, 

and by Property MR3 that merge^ P1P2 %m A\ A A 2 , we see that we can use the inductive 
hypothesis on k to conclude. In order to do so we have to show that the assumption of the 
inductive hypothesis holds, namely that, for any p x : |Ai|a»X|A 2 b,P3 : \M\w, ■ ■ ■ ,Pk ■ \A k \<m 
such that p\ Rsjjj A\ A A 2 , P2 Ran A 2 , ■ ■ ■ ,Pk %i A* it is the case that: 

(Az^ MA ^.r(pr L z)(pr R z))pi ■ ■ ■ Pk %n B. 
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By reducing the realizer we get that this is equivalent to: 

Kpr L Pi)(pi" R Pi)p2---Pk %n B, 

which is true by the assumption on r since p\ %j A\ A A2 means that pr L £>i Raw A\ and 
pr R p\ %{ A2 by definition of Rsjr. d 

We prove a similar property for ratse^. 

Proposition 2 (Monadic Realizability Property for raises). Let A\, . . . ,A\ and B be any 
formulas and let r : |Ai|gw —>•••—> \Ak\w — > \B\m be a term. Assume that, for all terms 
Pi '■ |Ai kn, ■ ■ ■ ,Pk '■ \Akhn such that p\ Rgjj A\, . . . , pk Raw Ak, it is the case that: 

rpi---p k Rm B. 

Then, for all terms pi : ||Ai||ai(, . . . , P/t : ||Afc||aw such that pi 9taw A\, . . . , p& %jj; Ak, we have 
that: 

raises rpi • • • p* 9law B. 

Proo/ Assume that, for all terms p\ : |Ai|jw, ...,pk '■ \Ak\w such that p\ %; Ai, . . . ,pk %i 
Ak, it is the case that: 

rp\---pk Raw B, 

and let pi : ||Ai||jw, . . . , p# '■ \\Ak\\w be terms such that pi 9tjw A\, . . . , p# 9taw Aj.. We want to 
prove that: 

raises rpi • • • p* %;j; #■ 

By definition of ratse^ this reduces to: 

star^(^ llm . • • • Axf klm .umt m (rxi ■ ■ ■ jc*))Pi • • • P* 5?an fl. 

This follows by Proposition 1 if we can show that, for any p\ : \Ai\%r, ■ ■ ■ ,Pk '■ \Ak\w such 
that piR m Ai,...,p k Rto A k , we have: 

(Ax l ^ b> . ■ ■ ■ Axf h \umi m {rx l ■ ■ ■ x k )) Pl ■ ■ ■ p k *n B. 

Reducing the realizer we get that this is equivalent to: 

unttsDiCrpi ■■■pk) 5?<m B, 

and this follows by Property MR1 and by assumption on r. u 
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Now we are ready to prove the soundness theorem. 

Theorem 1 (Soundness of HA with respect to the Monadic Realizability Semantics). Let D 
be a derivation of T V- A in HA and %jjf a monadic realizability relation. Then Y IHjj? D* : A 
is valid with respect to %jjf. 

The proof is long but simple, proceeding by induction on the structure of the decorated 
version of D. 

Proof. We proceed by induction on the structure of the decorated version of D, that is, we 
assume that the statement holds for all decorated sub-derivations of D and we prove that it 
holds for D too. More precisely we have to check the soundness of each decorated rule, 
showing that the validity of the premises yields the validity of the conclusion. 

We start with some general notation and observations. Let T = a\ : A\, . . . ,ak : A k for 
some k. Following the notation in Definition 7, we fix natural numbers n\,...,ni and terms 
r\ : A\, . . . , r^ : A&, we define abbreviations: 

Q = x\ :=«i,..., xi := m, 
S = a\ := n,...,ak ■= n, 

and we assume that: 

riRsjjiAi[Q] ... r k R w A k [D.]. 

Note that if some term t : X\ —>•••—> X k — > Y has no free variables then {ta\ • • • <%)[£!, 2] 
t(a\[£l, S]) • • • (flfc[Q, S]). In particular this holds if t is one of star^, ratse^, pair, pr L , pr R , case, 
inL, inR. The same holds for formulas, so (A * B)[Q.] = A[Q.] * B[Q] where * is one of A, V 
or — >. Also note that |A[Q]|aj} = \A\yi since |-|«jk does not depend on the terms in A. In partic- 
ular the types of the proof variables in T do not change, meaning we do not need to perform 
substitutions in T. We shall take advantage of these facts without mentioning it. 

Now we can start showing that the rules are sound. 

Id We have to prove that: 

(tatse ^)[O,X]%iriA[Q], 

where A = A,- for some i e {!,...,&}. 
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By performing the substitutions, we can rewrite the realizer as raiseo r,- so we need to 
prove that: 

ratseo n 5%{ A. 

This follows by Proposition 2 since by assumption r,- %; A,[Q]. 
Atm We have to prove that: 

(raise^y™ 1 . ■ ■ ■ Ay™. *)n • • • r,)[n, E] % }i P[0\. 
By performing the substitutions, we can rewrite the realizer as: 

misti{Ay™. • • • Ay™. *)r x [Q, E] • • • r/[Q, I]. 
By inductive hypothesis we know that 

n[Q,E] %!,; P![fl], . . . ,r/[Q,Z] 9fo P/[Q], 
and thus we can conclude by Proposition 2 if we can show that: 

(Ay™.---Ay™.*) n --- ri R m P[a], 
for all r\ , . . . , r; that are inner realizers of P\ , . . . , Pi respectively Since 

(Ay™.---Ay™.*)n--- ri , 
reduces to * and * %; P[fl] by definition of %; we are done. 

In the following we will apply the substitutions directly without mentioning it. 

Al We have to prove that 

raise 2 pair p[Q, E]q[Q, X] %m A[Q] A fi[Q], 

assuming that p[Q, E] 9?arj A[Q] and q[Q, E] 5%; A[Q]. This follows by Proposition 2 
since 

pair pq %i A A B, 

for all inner realizers p of A and g of B, by definition of R^;. 
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aEl We have to prove that 

(raiscipr L r)[n,£]5R8RA[«], 

assuming that 

r[Q,E]%jj(A[Q] AB[Q]. 

This follows by Proposition 2 if 

pr L rRsjjiA[Q], 

for any inner realizer r of A[H] A B[Q.]. This is the case because from r Rsy; A A B if 
and only if pr L r %; A by definition of %;. 

aEr Very similar to the proof for AEl. 

vIl We have to show that: 

ratsei in L p[S, Q] % m A[Q] v B[Q], 

assuming that: 

p[I,Q]%jjiA[Q]. 

This follows by Proposition 2 if 

m LP R m A[Q.], 

for any inner realizer p of A[Q]. This is the case since p %; A[Q] if and only if 
inL p %i A[Q] V B[Q,] by definition of R«jk. 

vIr Very similar to the proof for vIl. 

VE We have to show that: 

star! (Ay lAlm+mm . case y(Aa lAlm .p[Q, I,])(AB lBlm .q[Q, 2]))r[Q, I] %jjj C[Q] 

assuming by inductive hypothesis that: 

1. r[n,E]%0iA[Q]VB[n], 

2. p[Q, X, or := p] %jj; C[Q] for any inner realizer p of A[Q], 
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3. q[Q, E,/3 := q] 9tgR C[Q] for any inner realizer q of B[Q.]. 
We can conclude by Proposition 1 if we show that 

(Ay lAkiMBki . case y(Aa Wm .p[Q, Z])(46 |B|aji .q[ft, I]))r, 
which y8-reduces to 

caser(ia |Abji .p[a,S])(^ |Bbi .q[Q,I]), (3.1) 

is a monadic realizer of C[fl] for any inner realizer r of A[Q] V fi[Q]. 

By definition of Rsyj, we know that either r ~> iriL /? where /? is an inner realizer of 
A[Q] or r ~» iriR g where g is an inner realizer of B[Q.]. Assume that we are in the first 
case (the second case is analogous). Then (3.1) becomes: 

case(in L p)(Aa lAhi .p[Q, Z])(A8 lBlm .q[Q, I]), 

which reduces to 

(Aa lAlm .p[Q,I.])p, 

and to 

p[Q,X,a :=/>], 

which is a monadic realizer of C[Q] by inductive hypothesis. 
— > I We have to show that: 

rolseo(^aJS.r[«,2]) Hart A[fl] -» S[D], 

assuming that: 

r[Q,I,^ +1 := p] m m B[Q], 

for any inner realizer /? of A[Q]. By Proposition 2 it is enough to show that: 

/la£}j , .r[n,E] Rsjji A[Q] -> B[Q]. 
By definition of R«jh this holds if and only if: 

(Aa^.T[n,T.])pXvtB[ni 
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for any inner realizer p of A[Q.]. Reducing we get: 

t[fl,I][%i :=p])K m B[0], 

and since r[Q, E][afc + i := p] = r[Q, E, arjt+i '■= p], we can conclude by the inductive 
hypothesis. 

— > E We have to show that: 

(Btax 2 (Ay l f m ^ Blw .Ay l f m . n y 2 )r[a, X]p[Q, X]) % m B[0\, 

assuming by inductive hypothesis that: 

1. r[Q,X]%jj;A[Q] -»fl[Q], 

2. p[Q,E]%jjiA[Q]. 

This follows by Proposition 2 if: 

which /3-reduces to 

rp, 

is a monadic realizer of B[fl] for any inner realizers r and /? of A[£l] — » Z?[Q] and 
A[Q] respectively. This follows immediately by definition of %;. 

In the following cases we assume that Q. does not contain a substitution for the variable x 
and we write it explicitly when it is needed. 



VI We have to show that: 



ratse (/lx Nat .r[Q,X]) %jji Vx. A[Q], 



assuming by inductive hypothesis that: 

r[Q,x := it,E] %m A[Q,x := n], 
for any natural number n. This follows by Proposition 2 if: 

(ix Nat .r[ft, 2]) Ra,( Vx. A[D], 



38 Chapter 3. A Monadic Framework for Interactive Realizability 

which by definition of Rsy; means that: 

(ix Nat .r[Q,I])n Ran A[Q,x := n], 
for any natural number n. By yS-reducing we get: 

r[Q, x := n, I] R^ A[Q, x := n], 
which holds by inductive hypothesis. 
VE We have to show that: 

(stariUr Na ^ IWhR .7(rt"])))r[n,2] %n (A[x := t])[0\, 

assuming by inductive hypothesis that: 

r[Q,S]SRsw Vx.A[Q]. 

This follows by Proposition 1 if: 

( / { r Nat ^ll A ll». r (?[Q])))r ~-» r(f[Q]), 

is a monadic realizer of A[Q], for any inner realizer r of Vx. A[Q]. This follows by 
definition of %; for r R$rj Vx. A[Q], since ?[Q] is closed and thus reduces to a numeral. 

31 We have to show that: 

ratsei(/ly |Abi .pair?[Q]y)r[Q,i;] % Wi 3x. A[Q], 

assuming by inductive hypothesis that: 

r[Q,E]%,jiA[Q,x:=?]. 

This follows by Proposition 2 if: 

(Ay Wm . pair t[Q,]y)r ~» pair t[Q,]r 

is an inner realizer of 3x. A[Q], for any inner realizer r of A[Q, x := t]. This follows 
by definition of Rjij. 
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3E We have to show that: 

stanCV^* 1 ^' .Uy Nat aa |A| ™.r 2 [n, I])(pr L r )(pr R y))n [D, I] % JJ( C[D], 
assuming by inductive hypothesis that: 

1. 1^,11] %,i3x.A[D.], 

2. r 2 [fi,y := n, X, a := r] %jjf C[Q], for any natural number « and any inner realizer 
rofA[Q]. 

This follows by Proposition 1 and by the inductive hypothesis on ri if, for any inner 
realizer r\ of 3x. A[Q]: 

(Ay NatxWm .(Ay Nat .Aa Wm x 2 [n, 2])(pr L y)(pr R y))r x ^ 
^ (^ Nat ^a |A|M .r 2 [a,X])(pr L r 1 )(pr R r 1 ) ^ 
~~» ((r 2 [Q,I])[y := pr L ri])[or := pr R n] = 
= r 2 [Q,j := pr L n,X,a := pr R n]. 

is a monadic realizer of C[Q]. By definition of Rao we have that pr R n Rjjj A[x := 
pr L r\] and thus we can conclude by the inductive hypothesis on r 2 . 

Ind We have to show that: 

(rcuseoCcreCoo/))^!] % m (Vx. A)[0], 

assuming that, for all naturals numbers n and for all p : Nat — > 7\Unit — > r|A|a») such 
that p %! Vz. z < n -> A[x := z\: 

r[Q.,y := n,E,ar*+i] := p] % m A[x := y][D.,y := ri\. 

Note that A[x := y][H,j := n] is just A[Q.,x := it]. By Proposition 2 we get the 
conclusion if creCoo f[£l, X] Rod Vx. A[Q], which by definition of Ran means that 

creCoo f[£l, X]n 9?<0j A[Q, x := n] 

for any natural number «. In order to show this we shall prove that for any natural 
number n and any uj e N U {oo} such that either uj = oo or co > n, we have: 

crec w /[Q, X]n %jj; A[Q, x := «]. 
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We proceed by complete induction on n, so we assume that the statement holds for all 
natural numbers m such that m < n. We begin by reducing the realizer (in the first step 
we use the assumption on o>: 

crec w /[Q, X]n ~» /[Q, £]n(crec„ /[Q, S]) 

~» (/la.r[D,y := n])(iz Nat .ratse (/l- Unit .crec„/[Q,I]z)) 
~~» r[Q,y := n,S,a := ^ Nat . ratse (X Unit . crec„ /[O, E]z)] 

Then we have to show that: 

r[Q,y := n,Z,ar := /lz Nat .ratse (/l_ Unit .crec„/[Q,E]z)] %jjj A[Q,x := »]. 

This follows from the inductive hypothesis on the premise of the complete induction 
rule if we can show that: 

iz Nat . ratse (/L Unit . crec„ /[«, X]z) Ran Vz. z < n -» A[x := z]. 

By definition of Rvn; this is the case if: 

rcuseo(/L Unit . crec,j/[Q,X]m) %u; m < n — > A[x := in], 

for all natural numbers m. By Property MR1 this follows from: 

^ Unit crec ^ yj-Q^ ^j m Rijj; m <n ^ a[ x ._ ,„] 

Again by definition of Rjji this is equivalent to showing that for any u : Unit such that 
u Rsjji »i<»we have: 

crec„/[Q, E]m %( A[x := m]. 

Note that, since w : Unit, u ~» *, so there are two possible cases: either m < nis true 
and then m Rjjj m <Ryjt n for any u : Unit or m < n is false and no w : Unit can realize 
m < n. In both cases the statement holds: in the former case by inductive hypothesis 
on m and in the latter case trivially since the universal quantification on u is empty. 



Theorem 1 entails that any specific monadic realizability notion is a sound semantics 
for at least HA. Later, when we prove that HA + EMi is sound with respect to interactive 
realizability semantics, we will only need to show that EMi is sound since the soundness of 
HA derives from Theorem 1 . 
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3.3 Monadic Interactive Realizability 

In this section we define interactive realizability as a particular notion of monadic realizabil- 
ity. Thus we show that monadic realizability may realize a sub-classical principle, in this 
case excluded middle restricted to semi-decidable statements. 



3.3.1 A Syntactic Monad for Interactive Realizability 

In order to describe the computational properties of interactive realizability (see [2]) we 
need to define a suitable monad. As we said, interactive realizability is based on the idea of 
learning by trial and error. We express the idea of trial and error with an exception monad: a 
term of intended type X has actual type X + Ex, where Ex is the type of exceptions, so that a 
computation may either return its intended value or an exception. The learning part, which is 
described by the dependency on a knowledge state, fits with a part of the side-effects monad 
(see [18] for more details): a term of intended type X has actual type State — > X, where State 
is the type of knowledge states, so that the value of a computation may change with the state. 
The syntactic monad we are about to define for interactive realizability combines these two 
monads. 

We need to extend system T with two base types State and Ex and a term constant that 
"merges" two exceptions into one: 

merge : Ex — > Ex — > Ex. 

We shall avoid defining a specific syntax for terms of type State and Ex. Instead we exhibit 
their intended interpretation and, using this interpretation as a guide, we shall require some 
properties on reductions involving them. 

We write 7?# for the set of symbols of the k-ary predicates in HA. The intended interpre- 
tation of a (knowledge) state s is a partial function 



M 



that sends a k + 1-ary predicate symbol P and a /c-tuple of parameters m\, . . . ,m^ e N to a 
witness for 3x. P(nti, . . . , m^, x). We interpret the fact that a state s is undefined for some 
P, m\ , . . . , nik as a lack of knowledge about a suitable witness. This is either due to the state 
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being incomplete, meaning that there exists a suitable witness m we could use to extend 
the state by setting s(P, (mi, . . . , m^j) = m, or to the fact that there are no suitable witness, 
meaning that Vx. -<P(mi, . . . , nit, x) holds 3 . We require that s satisfies two properties. The 
first is for s to be sound, meaning that its values are actually witnesses. More precisely: 

MCP, (mi, . . . , nik)) = m entails P(m\, .. ., m^, m). 

The second is that s is finite, namely that the domain of s (the set of values s is defined on) 
is finite. This because we want a knowledge state to encode a finite quantity of information. 
Let [[State]], the set of all finite sound states, be the intended interpretation of the type State. 
Recall that there is a canonical partial order on states given by the extension relation: we 
write s\ < S2 and read "S2 extends s\" if and only if .$2 is defined whenever s\ is and with 
the same value. 

An exception e : Ex is produced when we instantiate an assumption of the form Vx. 
-<P(mi , . . . ,rrik,x) with some m such that -<P(mi , . . . ,nik,ni) does not actually hold (remem- 
ber that we proceed by trial and error, in particular we may assume things that are actually 
false). This means that mis a witness for 3x. P(ni\, . . . , m^, x), in particular it could be 
used to extend the knowledge state on values where it was previously undefined. The role 
of exceptions is to encode information about the discovery of new witnesses: since we use 
this information to extend states the intended interpretation of an exception e is as a partial 
function: 

M : [State] - [State]]. 

Since e extends states we require that s < e(s). We interpret an exception as a partial function 
because an exception e may fail to extend some state s. The reason is that e may contain 
information about a witness m' for an existential statement 3x. P{ni\, . . . , nit, x) on which s 
is already defined as m. Note that an existential formula can have more that one witness so 
two cases may arise: either m - m' , meaning that the information of e is already part of s or 
m + m' so that the information of e is incompatible with the information of the state. In the 
first case e(s) = s, while in the second case e(s) is not defined. 

3 Here we are using EMi at the metalevel in order to explain the possible situations. Using a principle at the 
metalevel in order to justify the same principle in the logic is a common practice. In our treatment this is not 
problematic because we never claim to be able to eifectively decide which situation we are in. 
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Before defining the syntactic monad 37? for interactive realizability, we need to introduce 
some terminology on exceptions and states. 

Definition 8 (Terminology on Exceptions and States). We say that a term of type X + Ex is 
either a regular value a if it reduces to in^ a for some term a : X or an exceptional value 
if it reduces to iriRefor some term e : Ex. We say that a term of type State — > X is a state 
function. Finally we say that an exception e properly extends s ife(s) is defined and s < e(s). 

Note that different exceptions might be used to extend a knowledge state in incompatible 
ways, that is, by sending the same predicate symbol and the same tuple of parameters into 
different witnesses. The role of the merge function is to put together the information from 
two exceptions into a single exception. This means that merge cannot simply put together 
all the information from its argument: if such information contains more that one distinct 
witness for the same existential statement it must choose one in some arbitrary way, for in- 
stance the leftmost or the minimum witness. Many choices for merge are possible, provided 
that they satisfy the following property: 

e\ properly extends s I 

> entails that merge e\e2 properly extends s, (EX) 

<?2 properly extends s J 

for any state s and exceptions e\,ei. Simple choices for merge are the projections, always 
selecting the first or the second argument, or any combination of them using an arbitrary 
criterion to select which value to return. Of course, in general there is no need for merge e^e2 
to be e\ or ei. 

Before the definition we give an informal description of 3/?. The monad 3/? maps a type 
X to State — > (X + Ex), that is, values of type X are lifted to state functions that can throw 
exceptions. The term untta^ maps a value a : X to a constant state function that returns the 
regular value a. If / : X — > T%rY then starts / is a function with two arguments, a state s 
and a state function a : T^rX. It evaluates a on s: if this results in a regular value a : X it 
applies / to a, otherwise it propagates the exceptional value. Lastly, if a : T^rX and b : T%rY 
are two state functions, then merges^ ab is a state function that evaluates its arguments on 
its state argument: when both arguments are regular values it returns their pair, otherwise it 
propagates the exception(s), using merge if both arguments are exceptional values. 

We are now ready to give the formal definition of 3/?. 
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Definition 9 (Interactive Realizability Monad). Let 3/? be the tuple (T%r, unites, stara^, 
merge^), where 



T ZsR X = State -» (X + Ex), 



untt* D ^x x ^ tate /n?' Ex x, 



3R 



star 
mcrge^ 



e X^Tz R Y 



, R _ Af^ 1 ™' M T ** x M Sme . case XEx ' Y+Ex (xs)(Ax x .fxs) in YEx , 



= Ar 3RX .Ax) m M 



X,Ex,(XxY)+Ex 



(«) 



case 
0*x*. case F ' Ex ' (Zxr)+Ex (t)s)(V- /n* x '' nx (pa/rx)0) //£ XJ - CX ) 



JfxKEx, 



XxKExx 



(/le Ex . case 



F,Ex,(XxY>Ex 



{r)s){A/.in 



XxF.Ex 
R 



Ex ■ XxF.Ex 



e x \Aef. \n^\mergee x e 2 ))X 



for some merge satisfying Property EX. 

The term untt~„ takes a value a : X and produces a constant state function that returns the 
regular (as opposed to exceptional) value a. The term star ' takes a function / : X — > T%rY 
and returns a function /' which lifts the domain of / to T^rX. The state function returned 
by /' when applied to some a : T^rX behaves as follows: it evaluates a on the state and if as 
is a regular value a : X it returns fa; otherwise if as is an exception it simply propagates the 
exception. 



as 


bs 


a 


fa 


e 


e 



The term merge^ takes two state functions a : T^rX and b : T^rY and returns a state 
function c : T^r(X x Y). When both arguments are regular values it returns their pair, 
otherwise it propagates the exception(s), using merge if both arguments are exceptional. 



as 


bs 


cs 


a 


b 


pair ab 


e\ 


b 


e\ 


a 


e 2 


e 2 


e\ 


ei 


merge e\e2 



We still need to check that Definition 9 is correct and that 3/? really is a syntactic monad. 
Proposition 3 (The Syntactic Monad 3/?). 37? is a syntactic monad. 
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Proof. We just need to check that unita^, stora^ and merge 3s satisfy all the properties in 
Definition 4. This amounts to perform some reductions. 

Ml Given any x : T^rX, we have: 

star** unites 

= {Af x ^ T ™ x .Ax T = RX .As Sme . case x ' Ex ' x+Ex {xs){Ax x .fxs) in*' Ex ) unttf R x 

-»/, (Ax T ™ x .As Sme . case X ' Ex ' X+Ex {xs){Ax x . unitf R xs) in*' Ex )s 

-»/, As sme . case X ' Ex ' X+Ex (xs)(Ax x . unttf R xs) in*' Ex 

_ instate „^„X,Ex,I+Ex rT wij/ij j State . „X,Ex x „ s . X,Ex 

= As .case (xs){Ax .{Ax .A . in L x)x>s)in R 

v i State „^„I,EiJ+Ex- wij n State ;J,Ex v ^ >■ X,Ex 

-^>p As .case (sj)(/lx .(/I . in L x)s)\r\ R 

-+ p As State . case x ^ x+Ex {xs){Ax x . in* Ex x) inf x 
=, ^ Stote . case* Ex * x+Ex («) In* Ex in* 1 * 

= x As sme .xs 
=„*, 

as required by Property Ml. 

M2 Given any / : X — > T^rY and x : X, we have: 

S tar*//(unttf s x) 

= {Af x ^ T ™ Y M T ™ x M State . case x < ExJ+Ex {xs){Ax x .fxs) inf x )/(unit z R x) 

-+ fi {Ax T ™ x .As State . case X ' Ex ' Y+Ex {xs){Ax x .fxs) in£ Ex )(unttf s x) 

instate ____X,Ex,I'+Ex/, < -j.X .a/iJT /■ „„\ ;„y,Ex 

-^>p As .case ' (untt 3R xs){Ax .jxs)\r\ R 

_ instate „„„X,Ex,y+Ex// ■> JC i State ;JEi v \ v „u)J f v „\ : n Y,Ex 

= As .case {{Ax .A- .in, x)xs){Ax .fxs)\r\' 

v instate „„„YEx,F+Ex/- X,Ex w -, Y /-„„\;„F,Ex 

—tp As .case (in L x)(/tx ./xsjin^ 

-»x ii state .(ix x ./xi)x 



->£ ii state ./xi 
as required by Property M2. 
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M3 Given any x : X and y : Y, we have: 

metge 3R (untt 3s x)(unit 3R y) 

= (Ax T ^ x .A^ ¥ .As Sme . case x - Ex ' (Xxy)+Ex (^) 

(^.case y ^( XxF ) +Ex (^)(^y r .inf F ' Ex (pairxy))inf y ' Ex ) 

(^ Ex . case yEx ' (Xxy)+Ex (r,.)01x y . inf yEx e x \Ae\\ inf yEx (merge e^)))) 

(umt 3s x)(unit 3R y) 

-^ /b State . case x ' Ex ' (Xxr)+Ex (nntt 3s xy) 

(Ax x . case yEx ' (Xxy > +Ex (untt 3i? ys)(iy y . inf yEx (pairxy)) inf y ' Ex )(. . . ) 

= is State . Ca se x ^ XxY)+E \(Ax x .A Sme . inf x x)xs) 

(ix* case yEx ' (Xxy)+Ex (unit 3i? ys)(Ay Y . inf yEx (pair xy)) inf yEx )(. . . ) 

-»/, ^ State . case x ' Ex ' (Xxy)+Ex (inf x x) 

(ix* case yEx ' (Xxy)+Ex (untt 3i? y,)(iy y . inf yEx (pair xy)) inf yEx )(. . . ) 

^ + i, state . case yEx ' (Xxy)+Ex (untt 3R y,)(iy y . inf yEx (pair xy)) in* 

i yEx y)y s)(V.in£ 



_XxF,Ex 



is State . case yEx '( Xxy)+Ex ((iy y .i_ State . in yEx y)ys)(Ay Y . inf yEx (pair xy)) inf y ' Ex 
^i, State .case yEx ' (Xxy)+Ex (in yEx y)(iy y .inf yEx (pairxy))inf yEx 
Hi^ State .(^y y .inf yEx (pairxy))y 
^/^.inf^Cpairxy) 

untt§^ y (pairxy), 



as required by Property M3. 



3.3.2 The Interactive Realizability Semantics 

We now define a family of monadic realizability relations, one for each state s, requiring that 
a realizer, applied to a knowledge state s, either realizes a formula in the sense of the BHK 
semantics or can extend s with new knowledge. 

Definition 10 (Interactive Realizability Relation). Let s be a state, r : ||A|| 3 # be a term 
and A a closed formula. We define two realizability relations 9t~„ and R^„ by simultaneous 



3.3. Monadic Interactive Realizability 47 

induction on the structure of A: 

• x $R~„ A if and only if we have that xs is either a regular value r such that r Ri„ A or 
an exceptional value e such that e properly extends s, 

• R^„ is defined in terms ofRL R by the clauses in Definition 6. 

We say that r (resp. r) is a monadic (resp. inner) interactive realizer of A with respect to s 
when x : \\A\\^r (resp. r : \A\sr) and x 9i^ R A (resp. r R* R A). 

In order to show that any interactive realizability relations with respect to a state is a 
monadic realizability relation we need to verify that is satisfies the required properties. 

Proposition 4 (The Monadic Realizability Relation 5Rg R ). For any state s, ^Ri sR is a monadic 
realizability relation. 

Proof. Let s be any state. We have to show that 91* satisfies the properties in Definition 6. 

MR1 We begin with Property MR1 , namely, for any inner interactive realizer r of a formula 
A with respect to s, we show that: 

untt 3R r % R A. 

By unfolding the definition of unites we have that: 

unitaR rs ~» (/l_ State . in L r)s 
~» iriL r, 

thus, by definition of 9?* we have to check that r R;^ A, which holds by assumption. 

MR2 In order to show Property MR2, for any formulas A and B, we take an inner interactive 
realizer r of A — > B with respect to s, that is, a term r : \A\^r — > \\B\\z>,r such that rp is a 
monadic interactive realizer of B with respect to s, for any inner interactive realizer p 
of A with respect to s. Then we have to show that, given a monadic interactive realizer 
p of A with respect to s, we have: 

stcnvy? rp 9^ R B. 
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By definition of 9tg R we apply s to the realizer and by unfolding the definition of 
starts and reducing we get: 

staraR rps ~~> case(ps)(/bc' A ' M .rxs) inR . (3.2) 

Since p 3l^ R A, we know that ps reduces to either a regular value iriL p, for some inner 
realizer p of A with respect to s, or an exceptional value inR e, for some exception e 
that properly extends s. 

• In the former case, (3.2) reduces to rps. By the assumptions we made on r and p, 
rp is a monadic interactive realizer of B with respect to s, and thus rps reduces 
to either a regular value which is an inner interactive realizer of B with respect to 
s or an exceptional value which properly extends s. Thus starts rp is a monadic 
interactive realizer of B with respect to s as required. 

• In the latter case, (3.2) reduces to inR e. Since e properly extends s, star^ rp is 
again a monadic interactive realizer of B with respect to s as required. 

MR3 Finally we have to show Property MR3. We assume that p and q are monadic inter- 
active realizers of A and B respectively, both with respect to s. Then we have to show 
that: 

merge 3s pq 5R* R A A B. 

By definition of 9?^ s , this means we have to show that 

merge 3R pqs 

reduces to either a regular value which is an inner interactive realizers Since p and q 
are monadic interactive realizers, ps and qs either reduce to regular values \r\LP and 
inL q, where p and q are inner interactive realizers of respectively A and B with respect 
to s, or to exceptional values inR^i and inRg2» where e\ and e2 properly extend s. By 
unfolding the definition of merge 3s and reducing we get: 

merge 3s pqs ~» case(p5 , )(/lx |A|3R . case(qj)(/ly' B ' 3S . iniXpairxy)) inR) 

(3.3) 
(Ae^ x .case(qs)(A- lBhR . in R ei)0tef x . in R (mergeeie 2 ))) 

We distinguish four cases depending on how ps and qs reduce: 
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ps ~» iriL p and qs ~» iriL g In this case (3.3) reduces as follows: 

merges^ pqs ~» case^X/ty'^' 3 *- iniXpair/ry)) inR 
~» in L (pair^). 

Since it is a regular value, we have to show that pair pq RI R A A B. This follows 
by definition of Ri (S and from the assumption that p Ri R A and q R^ R B. 

p^ ~» iriL p and qs ~» inR £2 In this case (3.3) reduces as follows: 

merges/? pqs ~» case(qj)(/iy' B ' 3R . iniXpair/ry)) inR 
~» inR£2- 

Since it is an exception value, we have to show that e2 properly extends s. This 
follows by the assumption that q RL R B. 

ps ~» inR e\ and qs ~» inL g In this case (3.3) reduces as follows: 

merge 3R pqs ~~> case(qj)(/lJ B ' 3R . inR<?i)(/lef x . iriR(mergeei<?2)) 
"~> inR^i 

Since it is an exception value, we have to show that e\ properly extends s. This 
follows by the assumption that p R^ R A. 

ps -n* inR ei and qs ~» inR ^2 

mer 9 e 3R PQ^ ~» case(qj)(/lJ B ' 3R . inRei)(/lef x . inR(merge<?ie2)) 
~» inR(mergeeie2) 

Since it is an exception value, we have to show that merge e\e2 properly extends 
s. By Property EX, this happens whenever both e\ and ^2 properly extends s. 
This is the case by the assumption that p Ri sR A and q R* B. □ 

Following Definition 7, for each state 5, the monadic realizability relation 9t* R induces 
a monadic realization semantics, which realizes HA by Theorem 1. We employ this family 
of semantics indexed by a state in order to define another one, which does not depend on a 
state. 



50 Chapter 3. A Monadic Framework for Interactive Realizability 

Definition 11 (Interactive Realizability Semantics). We say that the decorated sequent Y \\-^r 
x : A is valid if and only if it is valid with respect to the semantics induced by each 9ti„ for 
every state s. 

We shall show how we can realize EMi in this semantics. 

3.3.3 Realizing the Excluded Middle Axiom 

Interactive realizability aims at producing a realizer of the EMi axiom, a weakened form of 
the excluded middle restricted to lP { formulas. A generic instance of EMi is written as: 

EMi(P, t u . . . , t k ) = (Vy. P(t u ..., t k ,y)) V (3y. -,P(t lt . . . , t k ,y)). 

for any k + 1-ary relation P and arithmetic terms t\,...,t k . We call universal (resp. existen- 
tial) disjunct the first (resp. the second) disjunct of EMi(P, t\,. . . , t k ). For more information 
on EMi see [1]. 

The main hurdle we have to overcome in order to build a realizer of EMi(P, t\, . . . ,tk) 
is that, by the well-known undecidability of the halting problem, there is no total recursive 
function that can choose which one of the disjuncts holds. Moreover, if the realizer chooses 
the existential disjunct, it should also be able to provide a witness. 

As we said before terms of type State contain knowledge about witnesses of Ej formulas. 
In order to query a state s for a witness n of 3y. P(n\, . . . ,n k ,y) for some natural numbers 
n\, . . . ,rik, we need to extend system T with the family of term constants: 

queryp : State -> Nat -> • • • -> Nat -> Unit + Nat. 

k 

indexed by P e Hk+i (and implicitly by k > 0). The value of query P srt\ • • • n k should 
be either * if the s contains no information about such an n or a numeral n such that 
|[PD("i> • • -,n\,n) is true. More formally we require that query P satisfies the following syn- 
tactic property: 

query P sn\ • • • n k ~» iriR n entails that P(n\, . . . ,n k ,n) holds (IR1) 

for all natural numbers n\,. . . ,n k . This amounts to require that state do not answer with 
wrong witnesses and it follows immediately from the intended interpretation if we suitably 
define query P sn\ ■ ■ ■ n k using R_sJ(P, (n\, . . . ,n k )). 
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An interactive realizer rp of EMi(P) will behave as follows. When it needs to choose one 

of the disjuncts it queries the state. If the state answer with a witness, tp reduces to a realizer 

1*3 of the existential disjunct containing the witness given by the state. Otherwise we can 

only assume (since we do not know any witness) that the universal disjunct holds and thus 

Tp reduces to a realizer i*y of the universal disjunct. This assumption may be wrong if the 

state is not big enough. When ry is evaluated on numerals (this correspond to the fact that an 

instance P{rt\ , . . . ,rik,ri) of the universal disjunct assumption is used in the proof), ry checks 

whether the instance holds. If this is not the case the realizer made a wrong assumption 

and ry reduces to an exceptional value, with the effect of halting the regular reduction and 

returning the exceptional value. For this we need to extend the system T with the last family 

of terms: 

evalp : Nat -» ■ • ■ -» Nat -> Nat -> Unit + Ex, 
k 

again indexed by P e 9ik- We shall need evalp to satisfy the following property: 

evalp n\ • • • rifji ^ iriL * entails that P{tt\ ,...,%,«) does not hold, (IR2) 

for all natural numbers n\,. . . ,nt,n. This guarantees that if the universal disjunct instance 
does not hold evalp reduces to an exceptional value. Thus an interactive realizer which uses 
a false instance of an universal assumption cannot reduce to a regular value. 

The last property we need is that for any state s and natural numbers m,...,tik, 

query P sn\ • • • tik "--» iriL * | 

> entails that e properly extends s. (IR3) 

evalni •••Hjt~» iriRg I 

This condition guarantees that we have no "lazy" realizers that throw exceptions encoding 
witnesses that are already in the state. 

ow we can define a realizer for EMi(P, t\, . . . , tk) as follows: 

emNCP, ti,...,tk) = As te . iriL(case(queryp sti ■ ■ ■ tk) 

(i_ Unit . in L (^ Nat .^_ State . evalp n • • • t k y)) 
(Ay^ at . in R (pair)-untt3p))). 

Of course we need to check that our definition is correct. 
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Proposition 5 (Interactive Realizer for EMi). Given any EMi instance EM\(P, t\, . . . ,t k ), 
the decorated sequent: 

ai:A u ...,ai : A, u- ZsR em N (P, 1 x , . . . , t k ) : EMi(P,fi,...,fc), (3.4) 

is valid with respect to the interactive realizability semantics given in Definition 11. 

Proof. Let r and A stand for erriN(P, h,...,tk) and EMi(P, t\, . . . ,t k ) in the following proof. 
By Definition 11, we have to prove that (3.4) is valid with respect to the semantics induced 
by 9t* for any given state s. 

Let the free (arithmetic) variables of A be x\, . . . , x m and let Q. = x\ := n\, . . ., x m := n m 
be a substitution for them. Let X be a substitution for the assumption variables in T. Note 
that the only free variables in r are arithmetic, thus r[X] is the same as r. 

Thus we have to prove that 

r[X,Q]9?* s A[Q]. 

By definition of 9?* R , we apply s and reduce: 

r[X, Q]s ~» iriL(case(queryp sti[Cl] ■ ■ ■ t^[D.]) 

(A Vnit . in L (^ Nat .i_ State . evalp h [Q] • • • t k [Q\y)) 
(/ly Nat .in R (pair3;untt 3R ))), 

and since r[X, Q]s is a regular value, r[X, Q] is a monadic realizer of A if and only if: 

case(query P st\ [Q] • • • tk[Q]) 

(A Vnit . in L (^ Nat .^_ State . evalp h ["] • • ■ t k [G\y)) (3.5) 

01y Nat .in R (pairyumt 3R )). 

is an inner realizer for A. query P st\ [Q.] • • • t k [Q.] reduces either to iriL * or to iriR n for some 
natural number n. We distinguish the two cases. 

iriL * In the first case (3.5) reduces to: 

in L (/ly Nat .i- State evalp h [Q] • •■ t k [Q]y). 

By definition of R* R , this is an inner realizer for A if and only if: 

r v = Ay Nat .A Sme . evalp t\ [O] • • • t k [Q]y, 
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is an inner realizer for Vy. P(t\[Q.], . . . ,tk[£l],y). Again by definition of R^ R , this is the 
case if and only if 

ryn% R P(h[n],...,t k [nin), 

for any natural number n. Following the definition of 9?^ R , we apply s to mn and 
reduce: 

rs/its ~~> evalp ?i[Q] • • • ^[0]n 

Then r^ns reduces either to iriL * or to inR e, for some exception e. 

iriL * In the first case, we have to check that: 

*% R P(t 1 [n],...,t k [0\,n) 

By definition of R* R , this is the case if and only if P(t\ [Q], . . . , tk[£i], n) and this 
follows from Property IR2. 

inR e In the second case, by definition of 91* > we have to check that e properly extends 
s and this follows from Property IR3. 

inR n In this case, (3.5) reduces to: 

inR(pairnuntt3tf). 

By definition of Ri sR , this is an inner realizer for A if and only if 

pairnunttgR 

is an inner realizer for 

3y.^P(t l [ni...,t k [0\,y). 

Again by definition of R^ R , this is the case if and only if 

untt 3R R* R -,P(ti [ft], ... , r t [Q], n). 

Since -<P(ti[Q.], . . . , f&[m, n ) is defined as P(ti[Q], . . . , ^[£2], n) — > _L, again by defi- 
nition of R* s , we have to show that: 

untt3# u 9?3 R _L, 
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for any inner realizer u of P{t\ [Q], • • • , f&[m, «)• However, by Property IR1, P(t\ [Q], 
• • •, ?fc[0], n) does not hold, so there is no such u. Thus 

unttaR u 5?g S ± 

holds vacuously 



Then we can extend our proof decoration for HA (see Figure 3.1) with the new axiom 
rule: 

1 T\\- m em N (P,t u ...,t k ): EMi(P,t u . . . ,t k ) 

and show that interactive realizability realizes the whole HA + EMi. 

Theorem 2 (Soundness of HA + EMi with respect to Interactive Realizability Semantics). 
Let D be a derivation ofT \- A in HA + EMi. Then Y 11-3^ D* : A, where D* is the term 
obtained by decorating D, is valid with respect to the interactive realizability semantics. 

Proof. By definition of interactive realizability semantics, we have to prove that T \\-%r D* : 
A is valid with respect to the monadic realizability semantics induced by 5R* R for any state 
s. So we fix a generic state s and proceed by induction on the structure of the decorated 
version of D, exactly as in Theorem 1, that is, we prove that each rule whose premisses are 
valid has a valid conclusion. Since 5t* R is a monadic realizability relation, this has already 
been shown in the proof of Theorem 1 for all the rules in HA. We only need to check the 
EMi axiom, but we have already done this in Proposition 5. □ 

3.4 Conclusions 

As we mentioned in the introduction, interactive realizability describes a learning by trial- 
and-error process. In our presentation we focused on the evaluation of interactive realizers, 
which corresponds to the trial-and-error part and is but a single step in the learning process. 
For the sake of completeness, we briefly describe the learning process itself. 

We can interpret an interactive realizer r of a formula A as a function / from states to 
states. Recall that the intended interpretation of a term e : Ex is a function that extends 
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states. Then we can define / by means of r as follows: 

( MO) ifr-^in R e, 

/O) = \ 

\s if r ~» iriL t for some t. 

Note that by definition of 9?3# we know that in the first case ^ejs properly extends s. We can 
think of / as a learning function: we start from a knowledge state and try to prove A with r. 
If we fail, we learn some information that was not present in the state and we use it to extend 
the state. If we succeed then we do not learn anything and we return the input state. Thus 
note that the fixed points of / are exactly the states containing enough information to prove 
A. 

By composing / with itself we obtain a learning process: we start from some state (for 
instance the empty one) and we apply / repeatedly. If in this repeated application eventually 
produces a fixed point, the learning process ends, since we have the required information 
to prove A. Otherwise we build an infinite sequence of ever increasing knowledge states 
whose information is never enough to prove A. The fact that the learning process described 
by interactive realizability ends is proved in Theorem 2.15 of [2]. 

We wish to point out one of the main differences between our presentation of interactive 
realizability and the one given in [2]. In [2], the formula- as-types correspondence is closer 
to the standard one. Exceptions are allowed only at the level of atomic formulas and merge is 
only used in atomic rules. For instance a realizer for a conjunction A A B could normalize to 
paired- In this case, the failure of the realizer is not apparent (at least at the top level) and 
it is not clear which one of e\ or et we are supposed to extend the state with. In our version 
exceptions are allowed at the top level of any formula and they "climb" upwards whenever 
possible by means of merge. 



Chapter 4 

A Witness Extraction Technique by 
Proof Normalization 



We present a new set of reductions for derivations in natural deduction that can extract 
witnesses from closed derivations of simply existential formulas in Heyting Arithmetic (HA) 
plus the law of the excluded middle restricted to simply existential formulas (EMi). 

The reduction we present are inspired by the informal idea of learning by making falsi- 
fiable hypothesis and checking them, and by the interactive realizability interpretation. We 
extract the witnesses directly from derivations in HA + EMi by reduction, without encoding 
derivations by a realizability interpretation. 

4.1 Introduction 

In proof theory there are reductions that express the computational interpretation we give 
to logical connectives, quantifiers and, in the case of arithmetic, induction. Proofs in intu- 
itionistic logic are shown to produce a witness for existential statements: any proof can be 
reduced to normal form, in which no more reductions are possible, and in a normal proof of 
an existential statement a witness always appears in a predictable location. We want to ob- 
tain the same result for proofs of semi-decidable statements in intuitionistic logic augmented 
with EMi and reduction rules inspired by a trial-and-error interpretation. 

We work in Heyting Arithmetic (HA) extended with EMi, which is weaker than classical 
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arithmetic but strong enough to prove non- trivial non-constructive results: for instance the 
fact that every function / : N — > N has a minimum. By modifying the standard reductions 
for Heyting Arithmetic (see [20]), we show that normal proofs of existential statements in 
HA + EMi produce a witness 1 , as they do in the intuitionistic case. 

The fact that classical arithmetic is a conservative extension of HA for IT^ statements is 
well known and the fact that we can extract witnesses from classical proofs of Sj statements 
follows immediately. However proofs of these results usually employ the Godel-Gentzen 
negative translation combined with variants of Kreisel's modified realizability semantics or 
Friedman's translation. Here, by purely proof theoretical means, we prove a slightly weaker 
result without resorting to negative translations and using reductions justified in terms of 
Interactive Realizability. 

An important remark is that in this chapter we do not prove strong normalization, but a 
just a result on the form of normal proofs. A formal type theoretic version of the reductions 
given in the following and strong normalization proof could not be included in this disserta- 
tion for reasons of time, but it will appear in [3]. In this section we prove that, if we have 
normalization, then all derivations of simply existential statements compute a witness by a 
method we describe as trial-and-error. 



4.2 A Formal System for Intuitionistic Arithmetic 

As usual we work in HA + EMi, Heyting Arithmetic extended with the law of the excluded 
middle for E° formulas. The full description is in Section 2.1. 

Since our reduction technique could conceivably be used in other first-order theories, we 
isolate some general assumptions on atomic formulas and rules that we need for our results 
to hold: 

• closed atomic formulas are decidable, 

• any true closed atomic formula has an atomic derivation, 

• atomic rules do not discharge assumptions, 



'Under suitable assumptions on the proof. 
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• atomic rules do not bind term variables 2 . 

The first two assumption are very reasonable in a constructive setting such as arithmetic 
where we expect to have decidability at least for atomic formulas 3 . The other two seems 
also reasonable for any first-order theory. These assumption are reasonable in a constructive 
setting and they are satisfied in HA. 

We assumed that any true closed atomic formula has an atomic derivation. For conve- 
nience we add atomic rules for proving them in one step. Let P be a closed atomic formula. 
If P is true then we add the atomic axiom: 

Otherwise if P is false we add the atomic rule: 

p 

In order to work on the structure of derivations we need suitable notation and terminol- 
ogy. We represent derivations as upward growing trees of formulas and we make a distinc- 
tion between a formula (resp. rule) and its occurrences (resp. instances) in a derivation. 

A formula can occur more than once in a derivation. While these occurrences are clearly 
distinct in a tree-like representation, in order to avoid confusion when referring to them 
in the text special care must be taken. Thus we make a distinction between formulas and 
formula occurrences, or simply occurrences, which we label with a, b, c. In a derivation, 
formula occurrences are arranged following the patterns given by the inference rules. As 
with formulas, we distinguish between rules and rule instances, or simply instances, which 
we label with a,j3, y. We write a derivation II as follows: 

[Cf 

ni n 2 



rulename — a a 

A a 

The only occurrence of the formula A is labeled a, while B occurs two times, with distinct 
labels t>i and 62. a is the conclusion of an instance, labeled a, of an inference rule named 

2 The precise meaning of this will be made precise later. 

3 However they may very well fail in set theory, for instance with the inclusion predicate. 
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rulename. cii and ct2 are the premisses of a. We also say that a is the conclusion of the 
whole derivation IT. With II 1 and II2 we denote two subderivations (as in subtree) of II. 
We distinguish subderivations by their conclusion, so we say that FL is the (sub)derivation 
of a, for i - 1,2. By writing [C]@ in square brackets above II2, we make explicit that II2 
may contain occurrences of the assumption C, which is discharged by some undisplayed rule 
instance ft. 

We define assumptions and open assumptions as usual in natural deduction, see [24], 
page 23. 

4.3 The Standard Reductions 

In this section we introduce the standard reductions we need for proofs in natural deduction. 

Reductive proof theory stems from the following observation: there are derivations that 
are more complex than they need to be because they have unnecessary detours. When this 
occurs, we can produce simpler and more direct derivations with the same conclusion by 
simple structural manipulations called reductions. 

In standard reductive proof theory for natural deduction, several reductions are intro- 
duced: proper reductions, permutative reductions, immediate simplifications and a reduc- 
tion for the induction rule (see [20]). A derivation is said to be fully normal when none of 
these reductions can be performed on it. For our purposes fully normal derivations are not 
required, so we introduce only the proper reductions and the induction reduction. 

In an instance of an elimination rule, the premiss containing the connective or quantifier 
that is being eliminated is called the major premiss; the other premisses are called the minor 
premisses. We always display the major premiss in the leftmost position. 

4.3.1 Proper Reductions 

Consider a derivation in which a formula occurrence a is both the conclusion of an introduc- 
tion rule instance a and the major premiss of an elimination rule instance /3. Then we can 
derive the conclusion of /? directly by removing a and /? and rearranging the derivations of 
the premisses of a and of the minor premisses of fj (if any). Note that a and /3 must be in- 
stances of an introduction rule and an elimination rule for the same logical connective, since 



4.3. The Standard Reductions 



61 



the formula introduced by a is the same formula eliminated by B. Therefore for each logical 
connective we have a different type of proper reduction. They are listed in Figure 4.1. 



Figure 4.1: The proper reductions. 
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4.3.2 Induction Reduction 

Consider the induction rule schema Ind in the following form: 

[A] a 

ni n 2 



A[x := 0] A[x := succ(x)] 

Ind 77 7n a 

A[x := t] 

We call t the main term of the induction. An instance a of the Ind rule can be reduced when 
the main term t in its conclusion A[x := t] is either or succ(m) for some term u. Then if 
( = 0we can reduce a to: 

III 



and if t - succ(w) as: 



A[x := 0] 

[Af 

ni n 2 



A[x := 0] A[x := succ(x)] _ 

Ind -Tr 1 p 

A[x := u] 

Il2[x := u] 

A[x :- succ(m)] 

We call this conditional reduction Ind-red. It is easy to see that this reduction is "unraveling" 

the induction. When u is a numeral n, that is, a term of the form succ'\ we can apply the 

Ind-red reduction repeatedly (n times) until we remove all occurrences of the Ind rule and 

get: 

IIi 

A[x := 0] 
n 2 [x := 0] 



A[x := 1] 
n 2 [x := 1] 
A[x := 2] 

A[x := n] 



4.4 The Witness Extracting Reductions 

In this section we introduce an inference rule that is equivalent to the restricted excluded 
middle axiom schema EMi defined in Definition 3 and two reductions involving this new 



4.4. The Witness Extracting Reductions 63 

rule. The first one, the Wit-red reduction, is inspired by Interactive Realizability and it will 
be instrumental in converting classical derivations into constructive ones. The second one is 
a permutative reduction and is needed later for technical reasons. 

4.4.1 The EMi Rule 

For convenience we replace the EMi axiom schema with the equivalent EMi rule: 

[Vx. P] a [-iP[x := y]] a 

EMi — —a 

A 

where the variable y does not occur in A nor in any open assumption that A depends on 
except occurrences of the assumption ->P[x '■= y] (as in the 3E rule). 

The EMi rule is derived by an VE rule instance, whose major premiss is an instance of 
the EMi axiom and whose rightmost assumption is the major premiss of an 3E instance: 

[-A[x := ylf 

[Vx. A] a i 

i [3x. ^A] a C_ 

1 (Vx. A) V (3x. -A) C 3E C P 

vE- — ^ a 

On the other hand, the EMi axiom can be derived from the EMi rule by two VI instances: 

_, T [-«A[* := y]] g 

VI ^^ vi 3x. ^A 

,_„ (Vx. A) V (3x. -A) (Vx. A) V (3x. -A) 

EM i — — ,m xx — 7=r^ — tv^ — a 

(Vx. A) V (3x. -.A) 

In the following we refer to the assumption Vx. P in the derivation of the leftmost pre- 
miss of the EMi rule as the universal assumption and to the assumption -<P[x := y] in the 
derivation of the rightmost premiss as the existential assumption. 

We can also write the EMi rule in sequent style as: 

r „ r,a:Vx. PhA Y,a:3x.^Ph A 

EMi — — -^ a 

r h a 

The universal assumption Vx. P is a n^ formula and thus negatively decidable, mean- 
ing that a finite piece of evidence is enough to prove it false: a counterexample, a natural 
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number m such that P[x := m] does not hold. Moreover, if we know that it is false, then a 
counterexample exists and we can find it in a finite time, in the worst case by means of a 
blind search through all the natural numbers. 

On the other hand, in order to prove the universal assumption, we need a possibly infinite 
evidence, namely, we may need to check P[x := m] for all natural numbers m and this cannot 
be effectively done (at least when we have no information on P). 

The existential assumption ->P[x := y] is not actually a existential formula. However it 
is easy to see that it takes the place of the assumption discharged by the 3E rule. 

We say that we can prove the existential assumption true by showing a witness, namely 
a number m such that ->P[x '■= m\. Thus the existential assumption behaves as if it werepos- 
itively decidable: when it is true, we have a terminating algorithm to find the finite evidence 
needed to prove it. However, when it false, we have no way to effectively decide if it is false. 

Note that a counterexample m for the universal assumption Vx. P is a witness for the 
existential assumption since in that case ->P[x '■= m] holds. 

4.4.2 Witness Reduction 

Consider a derivation n ending with an instance a of the EM] rule for the atomic formula P: 

[Vx. P] a [->P[x := y]] a 

ni n 2 

EMi^ j 4- a 

A priori we do not know any counterexample to the universal assumption (we do not even 

know whether it holds or not), so we begin by looking at how the assumption is used in III. 

In IIi, consider all the instances j3\ , . . . ,fi n of the VE rule whose premiss is an occurrence of 

the universal assumption Vx. P and whose conclusion is the occurrence of a closed (atomic) 

formula: 

[Vx. P] a „ [Vx.P] a „ 

These represent the concrete instances of the universal assumption that are used to derive 
A in IIi. Since the conclusions of /?i,... ,fi n are closed atomic formulas they are decid- 
able. Therefore we can derive the true concrete instances directly with the atomic axiom Jll 
instead of deducing them from the universal assumption. We distinguish two cases. 
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• If P[x := t{\ is true for all i we replace each/?, with the atomic axiom for P[x := ti\: 
VE P[x := ti\ A -> P[x.= ti\ 



We call this new derivation ITj . 

Now two situations are possible: either ITi needs the universal assumption only to 
deduce the concrete instances /?i, . . . ,/3 n or not. 

- The first case happens when ITj contains no more occurrences of the universal 
assumption discharged by a, that is, the universal assumption only occurs in ITi 
as the premiss of f3\, . . . ,f3 n . In this case II j is a self-contained derivation of A 
and we can replace the whole II with ITj . 

- Otherwise ITj still contains some occurrence of the universal assumption. Then 
ITj does need the universal assumption itself and not just some concrete instances 
of it. In this case we can only replace ITi with ITj in n, but we cannot eliminate 
the EMi rule instance a from the derivation. 

Otherwise there is some i such that P[x := f,] is false. Thus the universal assumption 
itself is false, since we have found the counterexample t[. Moreover ti is a witness 
for the existential assumption, meaning that we can replace y with ti in II2 and all the 
occurrences of the assumption ->P[x := y] with a derivation of ->P[x := t]: 

[P[x := ti\fi 



[-,P[x 



UW 



&E 



I /?• 



We call this new derivation H' T 



Note that in this case we replace all the occurrences of the existential assumption in 
II2 and thus n^ is self-contained derivation of A. Therefore we can replace II with U' T 

We call this reduction Wit-red. 

The gist of the Wit-red reduction is that we look for counterexamples to the universal 
assumption in IT . If we do not find one then we have checked that all the concrete instances 
of the universal assumption hold. Moreover if fli uses the universal assumption exclusively 
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to deduce these concrete instances, then we get a direct derivation of A without using the 
EM i rule. On the other hand if we find a counterexample then we know that we can put it in 
II2 and get another direct derivation of A. 

In some sense we have a procedure to decide which one of the subderivation of the EMi 
rule is the effective one, Note that this procedure fails when we do not find counterexamples 
to the universal assumption but we cannot completely eliminate its occurrences from ITi . 
Our main result can be thought of as the proof that, when the conclusion of a derivation is 
simply existential, this "failure" of the procedure does not happen. The whole reduction is 
summarized in Figure 4.2. 

4.4.3 Permutative Reduction for EMi 

The permutative reduction for EM 1 is defined in the same way as the permutative reduction 
for the VE rule, that is, when the conclusion of a EMi rule instance is the major premiss of 
an elimination rule instance *E: 



reduces to: 



[Vx. py [- 


-P[x := yW 


ni 


n 2 




A y 

n 
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[Vx. P] a 
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n 2 


r a n 

*E R 
EM, B 


r a n 

*E R 

B a 



B 

where fl stands for the derivations of the remaining minor premisses of B if any. We denote 
this reduction as EM 1 -perm. More explicitly, we can define a permutative reduction for 
each elimination rule, see Figure 4.3 and Figure 4.4. 

This reduction moves elimination rule instances from "outside" or "below" to "inside" 
or "above" an EMi rule instance. This is useful because an EMi rule instance may happen in 
between an introduction rule instance and an elimination rule instance, preventing a proper 
reduction from taking place. 

In the following we concentrate on proving a result about the form of normal proofs. We 
do not prove here that the reduction process converges. In order to do it, the most natural 
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way would be encode our proofs into proof terms in a suitable calculus and show that such 
calculus is strongly normalizing. This has been done in [3], so we just state the following 

Theorem 3 (Strong Normalization of HA + EMi). All proofs of HA + EMi are strongly 
normalizing under the reductions we described in this section. 

A proof can be found in [3]. 



4.5 Witness Extraction 

In this section we prove the witness extraction theorem, that shows how we can extract 
witnesses from suitable classical derivations in HA + EMi, as we can do for intuitionistic 
derivations in HA. 

In order to state and prove our results we need to keep track of free term variables in a 
derivations, since both the Ind-red and the Wit-red reductions can only be performed when 
certain terms and formulas are closed. 

We need to define when a variable is free in a derivation. 

Definition 12 (Free term variables). We say that a rule instance a binds a term variable that 
occurs free in the derivation U of a premiss of a in the following cases: 

• a is an instance of the VI rule and binds the variable x in the formula occurrences in 
the derivation of its premiss: 

n 

Vx. A 

• a is an instance of the BE rule and binds the variable y in the formula occurrences in 
the derivation of its rightmost premiss: 











[A[x 
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• a is an instance of the Ind rule and binds the variable x in the formula occurrences in 
the derivation of its rightmost premiss: 

[A] a 

n 



A[x := 0] A[x := succ(x)] 

Ind 77 7i a 

A[x := t] 

• a is an instance of the EMi rule and binds the variable y in the formula occurrences 
in the derivation of its rightmost premiss: 

[Vx. P] a [-,P[x := y]] a 
: JT_ 

EMi^ *-a 

We say that a term variable occurrence is free in a derivation when the term variable occurs 
free in a formula occurrence in the derivation and is not bound by any rule instance. A 
derivation is closed if it has no free term variable nor open assumption. 

Note that no reduction introduces free term variables in a derivation. 

Since a derivation is a tree, it makes sense to give the definition of branch. Principal 
branches are branches of a derivation that contains only major premisses of elimination and 
EMi rule instances. 

Definition 13 (Principal branch). A branch in a derivation IT is a sequence of formula oc- 
currences cto, . . . , a n in n such that: 

• do is a top formula occurrence, that is, % is either an assumption or the conclusion of 
an atomic axiom; 

• a,- and a, + i are respectively a premiss and the conclusion of the same rule instance 
a i+h f or all < i < n; 

• a n is the conclusion of U. 

A branch is principal if, for allO < i < n such that a,- is an elimination or EM i rule instance, 
a, is the major (leftmost) premiss ofai. 
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We use the variables £, rj for branches. 

In order to study the properties of normal proofs we only need to consider the structure 
of principal branches. A head-cut is the lowest point of a principal branch where a reduction 
is possible. 

Definition 14 (Head-cut). The head-cut of a principal branch £ - a\,...,a n is the formula 
occurrence a,- with the maximum index i such that one of the following holds: 

• a,- is the conclusion of an elimination rule instance a\, <X,-_i is the major premiss of 
at and the conclusion of an introduction rule instance a,-_i; when ai-\ is a Al rule 
instance we also require that a ; _2 is an occurrence of the same formula as a, (proper 
reductions); 

• a,- is the conclusion of an Ind rule instance a,-, whose main term is either or succ(u) 
for some term u find-red reduction); 

• a,- is the conclusion of an EMi rule instance a and either a,_i is derived without using 
the assumption discharged by a or Oq is an occurrence of the universal assumption 
discharged by a and a\ is the occurrence of a closed atomic formula (Wit— red reduc- 
tion); 

• a,- is the conclusion of an elimination rule instance a and a,-_i is the conclusion of an 
EMi rule instance (EMi-perm reductions). 

If such an i exists we say that there is a head-cut along the branch g. 

This definition is the result of a analysis of the conditions that must be met in order to 
perform one of the reductions we have listed. In particular note how, in the condition given 
for the Wit-red reduction, the fact that a\ is atomic implies that a\ is the conclusion of a VE 
rule instance, as we assumed in defining Wit-red. 

We shall show that, with suitable assumptions, we can perform the Wit-red reduction as 
needed in order to extract a witness from a derivation. One of these assumptions is that the 
conclusion of the derivation is "simple" enough, as we define next. 

Definition 15 (Simple Formulas). We say that a formula is simply existential (resp. univer- 
sal) when it is 3x. P (resp. Vx. P)for some atomic formula P. 

We say that a formula is simple when it is closed and atomic or simply existential. 
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In the following we consider the EMi and Ind rules to be neither elimination nor intro- 
duction rules and we give them special treatment. 

As we shall show later, principal branches beginning with an open assumption have 
particular structure in normal derivations: they begin with a sequence of elimination rule 
instances, followed by atomic and EMi rule instances and they end with introduction and 
EMi rule instances. Any of these parts may be missing. 

Definition 16 (Open normal form). A principal branch do, . . . , a n is said to be in open normal 
form when there exist three natural numbers he, n& and nj such that n£ + n^n\ - n and: 

• do is the occurrence of an open assumption in II, 

• o,- is the conclusion of an elimination rule instance for < i < «£, 

• a,- is the conclusion of an atomic or EMi rule instance for «£ < i <n% + ha, 

• a nE +„ A +i is the conclusion of an introduction rule instance 4 , 

• a,- is the conclusion of an introduction or EMi rule instance for «£ + n& < i < n, 

UE,tiA and n\ are the number of elimination, atomic or EMi, introduction or EMi rule in- 
stances, respectively. 

We can now prove our main result: closed normal derivations of simply existential for- 
mulas in HA + EMi can be reduced to derivations ending with an introduction rule instance. 
Derivations in HA have a similar property. The theorem we are going to prove holds for 
derivations that are concrete enough, namely they are: self-contained (without open assump- 
tions), concrete (without open term variables) and with an effective conclusion (a simply 
existential formula). The proof is split into several lemmas. 

In the first lemma we show that, in a derivation of a simply existential with no free term 
variables, a simply universal assumption is followed by a closed atomic formula. This will 
be used later to prove that we can perform the Wit-red reduction on universal assumption 
of an EM i rule instance. 

4 Since EMi rule instances can appear intermingled with both atomic and introduction rule instances, in the 
definition we require that a„ E+ „ A+i be the conclusion of an introduction rule, so that n A and «; are uniquely 
determined. 
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Lemma 1. Let £ - (to, . . . ,a n be a principal branch in open normal form in a derivation II 
in HA + EMi, with n^, «a and «/ defined as in Definition 16. Let Aq, . . . ,A n be the formulas 
do, . . . , a n are occurrences of. Then the following statements hold: 

1. A, is a non-atomic subformula of A n for all n% + n& < i < n; 

2. if some a, is the conclusion of an introduction rule instance, then A{ is a subformula 
ofA n ; 

Moreover assume that A n is a simple formula. Then: 

3. if a term variable x is free in some A,-, then x is free in IT; 

4. if some Aj is simply universal, then a,- is the premiss of a VE rule instance; 

5. if TI has no free term variables and At is simply universal, then A,- + i is a closed atomic 
formula. 

Proof. (2) follows immediately from (1). We need (2) to prove (3) and (4). Then, by (3) and 
(4), we prove (5). Here are the proofs. 

1. We proceed by induction on nj. 

• If nj = 0, the thesis holds vacuously. 

• If nj = 1 , we need to prove the statement just for i = he + nk + 1 =n and thus a n 
is the conclusion of an introduction rule instance by Definition 16. This means 
that A n is not atomic. Obviously it is also a subformula of itself so we are done. 

• Otherwise, let nj > 1 . 

Consider the subderivation IT of II ending with a„_i and its principal branch 

f = do, . . . , a„_i. C is in open normal form in IT, with n' E = he, n' A - n& and 

n'j = ni — 1. Then, by inductive hypothesis, for a\\ he + ua < i < n — 1, A,- is a 

non-atomic subformula of A n -\. 

By Definition 16, II ends with an introduction or EMi rule instance a. In both 

cases A„_i is a subformula of A„, since a„_i is the premiss of a and a„ is its 

conclusion. 

Thus for all n£ + n& < i < n, A, is a subformula of A n . Moreover since A„_i is 

non-atomic then A n is too. 
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2. If a, is the conclusion of an introduction rule instance then he + riA < i < n by 
Definition 16. Thus we conclude by (1). 

3. We show that x is not bound by any rule instance and thus is free in IT The only rule 
that binds a variable above a major premiss, and thus the only rule that can bind a 
variable in a principal branch, is the VI rule. Now assume that a VI rule instance occur 
along £ with conclusion <Xj. By the previous statement (2), Aj is a subformula of A„. 
This yields a contradiction because by assumption A n is simple and Aj is universally 
quantified since <Xj is the conclusion of a VI rule instance. 

4. We show that a,- is the premiss of a VE rule instance because no other alternative is 
possible. 

• 0; cannot be the premiss of an atomic rule instance, since we assumed that A; is 
simply universal and thus not atomic. 

• o,- cannot be the premiss of an introduction rule instance, since in that case A,-+i 
is a subformula of A n by (2). Therefore a simply universal formula A, is a sub- 
formula of a simple formula A n , which is a contradiction. 

• Finally o r - cannot be the premiss of an EMi rule instance. More precisely assume 
that a,- is followed by exactly j > instances of the EMi rule. Then a, +7 - is the 
conclusion of the last EMi rule instance a and A i+; - is the same formula as A,-, in 
particular A, +y - is simply universal. By definition of open normal form, EMi rule 
instances can only be followed by introduction, atomic or EMi rule instances. 
Since we assumed that there are exactly j instances of the EMi rule, a, +; - is the 
premiss of either an atomic or introduction rule instance. Then we are in one of 
the previous cases and we have a contradiction. 

Then a, can only be the premiss of an elimination rule instance and, being A; simply 
universal, it must be an instance of the VE rule. 

5. By (4) we known that a,+i is the conclusion of a VE rule instance whose premiss is 
simply universal. Therefore A,-+i is an atomic formula. If A,+i has a free term variable, 
n has too by (3). Since we assumed that II has no free term variable, A, + i must be 
closed. Therefore A !+ i is a closed atomic formula. □ 
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In the following lemma we show how we can apply the Wit-red reduction. 

Lemma 2 (EMi reduction). Let Ube a derivation in HA + EMi with no free term variables. 
Assume that IT ends with an EMi rule instance a whose conclusion is an occurrence of a 
simple formula. Assume that the derivation IT of the leftmost premiss of a has a principal 
branch f in open normal form. Then at least one of the following occurs: 

1. II has a head-cut or a non-normal term along a principal branch, 

2. II has a principal branch in open normal form. 

Proof. Let f = %,... ,a n and let Aq, . . . , A n be the formulas %,..., a n are occurrences of. 
Let a be the conclusion of n and of the EMi rule instance a: 

\nV . 

\-f : 

A a " A 

Note that we can extend f to n - %,..., a n , a and n is a principal branch of II. 

If ao is not discharged by a, then n is a principal branch in open normal form and thus 
we get the statement. Otherwise, ao is discharged by a, meaning that Ao is the universal 
assumption of the EMi instance. We can apply (5) of Lemma 1 to 77, since ao is simply 
universal, a is simply existential and II has no free term variables. 

Then a\ is a closed atomic formula and we can perform the Wit-red reduction, that is, 
there is a head-cut along the principal branch 7/ of II and we can conclude. □ 

□ 

The following lemma shows how to handle Ind rule instances. 

Lemma 3 (Induction normalization). Let II be a derivation in HA + EMi ending with an Ind 
rule instance. Then at least one of the following holds: 

1. II has a head-cut or a non-normal term along a principal branch, 
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2. II contains a free term variable. 

Proof. Let a be the Ind rule instance IT ends with and let its conclusion be an occurrence a 
of some formula A[x := t]. If a has a free term variable x then x is free in II too and we are 
done. If t is not normal then all principal branches 5 in II have a non-normal term. Otherwise 
tis a closed normal term and thus it is either or succ(w) for some term u and e we can apply 
the Ind-red reduction, meaning that any principal branch of II has a head cut. □ □ 

The following lemma can be thought of as a weak result on the structure of derivations. 

Lemma 4 (Structure of Normal Form). Let II be a derivation in HA + EMi. Then at least 
one of the following holds: 

1. II has a head-cut or a non-normal term along a principal branch; 

2. II contains a free term variable; 

3. II has a principal branch in open normal form; 

4. II ends with an introduction rule instance; 

5. II is atomic (only atomic formulas occur in II); 

6. II ends with an EM] instance and its conclusion is not simple. 

Proof. The proof is by induction on the structure of the derivation IT, that is, we assume 
that the statement holds for all subderivations of II and we prove that it holds for the whole 
derivation. 

Let a be the last rule instance in II. If a in an introduction rule instance the statement is 
satisfied and we are done. 

If a is an Ind rule instance then we get the statement by applying Lemma 3 to II. 

Then we only need to understand what happens when a is an elimination, an atomic or 
an EMi rule instance. Note that the only case in which a has no premisses is when a is 
an atomic axiom. If this happens then II is atomic (it is just the conclusion of a) and the 
statement is satisfied. 



Since all branches of IT end with its conclusion. 
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Otherwise a has one or more (when a is atomic) major premisses. Let IT' be the deriva- 
tion of any one of the major premisses of a. Any principal branch f of IT can be extended 
to a branch r\ of IT, by appending the conclusion of n. rj is principal too because IT is the 
subderivation of a major premiss of a. We shall use this fact often in the following. 

By inductive hypothesis IT satisfies the statement, so we proceed by considering all the 
possible cases. 

1. IT has a head-cut or a non-normal term along a principal branch £. As we noted f can 
be extended to a principal branch of II with the same head-cut or non-normal term, so 
II satisfies the statement and we are done. 

2. IT contains a free term variable. 

There are four rules that can bind term variables: the VI, 3E, Ind and EMi rules. Since 
the cases when a is an introduction or Ind rule instance have been taken care of already 
and since the 3E and EMi rules can only bind term variables in the derivation of its 
minor premiss, any free term variable in IT is free in II too. Thus II satisfies the 
statement. 

3. IT has a principal branch f = %, . . . , a n in open normal form. Let r\ be the principal 
branch of II extending £. 

[A«] 

\|/ 

EMi| * E|J?I -^ — — a 

Note that elimination rule instances do not discharge assumptions in their leftmost 
subderivation and atomic rule instances do not discharge assumptions in general. 

Then, when a is either an elimination or atomic rule instance, the assumption ao is 
still open in II and we have the following cases depending on how which rule a n is the 
conclusion of. Note that since £ is in open normal form, a n cannot be an Ind instance. 
Thus we have the following cases: 



76 



Chapter 4. A Witness Extraction Technique by Proof Normalization 





a n is the conclusion of 




ELIM 


ATOM 


INTRO 


EMi 


a 


ELIM 


EXT 


NO 


CUT 


PERM 


ATOM 


EXT 


EXT 


NO 


NO/EXT 



EXT r\ begins with the open assumption cto followed by elimination and atomic rule 
instances, so II satisfies the statement; 

NO this is never the case since, in a principal branch, an elimination (resp. atomic) 
rule instance cannot follow an atomic (resp. introduction) rule instance, because 
the major premiss (resp. conclusion) of an elimination (resp. introduction) rule 
instance is not atomic and thus cannot be the conclusion (resp. premiss) of an 
atomic rule instance; 

CUT a is an elimination rule instance and its major premiss is the conclusion of an 
introduction rule instance, thus r\ ends with a head-cut and again II satisfies the 
statement; 

PERM when a major premiss of a is the conclusion of an EMi rule instance we can 
apply the EM i -perm reduction, thus 77 ends with a head-cut and II satisfies the 
statement; 

NO/EXT we have two cases depending on the nj of f : 

nj > then, by (1) of Lemma 1, we have that a n is an occurrence of a non atomic 
formula and thus a cannot be an atomic rule instance; 

nj = in this case 77 is in open normal form and thus II satisfies the statement. 

On the other hand, if a is an EM 1 rule instance then we can apply Lemma 2 to II (since 
we can safely assume that fl contains no free term variables) and we get the statement. 



4. IT ends with an introduction rule instance /3. Then the conclusion b of /3 cannot be 
atomic and since it is a premiss of a, a cannot be atomic either. Therefore a must be 
either an elimination or an EM 1 rule instance. 

If a is an elimination then there is a head-cut along a principal branch going through 
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b so IT satisfies the statement. 

?I P\ 

?E ^ ^^a 

A a 

If a is an EM i rule instance then a and b are both occurrences of the formula A. If A is 
not simple then II satisfies the statement. Otherwise we assume that A is simple: since 
A cannot be atomic (it occurs as the conclusion of the introduction rule instance /3) A 
must be 3x. P for some atomic formula P and /? must be an 31 rule instance. Then we 
are in the following situation: 

n" 

31 A , P ■ 

CM 3x. P h 3x. P 

EMl 3x1- a 

where n" is the derivation of the premiss of f3. Again note that principal branches of 
n" extend to principal branches of II' by appending b. 

By inductive hypothesis II" satisfies the statement, so we proceed by considering all 
the possible cases. 

(a) II" has a head-cut or a non-normal term along a principal branch. Then IT does 
too and we are in the previously solved case labeled 1 . 

(b) II" contains a free term variable. Since 31 does not bind free term variables, IT 
does too and we are in the previously solved case labeled 2. 

(c) II" has a principal branch £ in open normal form. Since 31 does not discharge 
open assumptions, IT does too and we are in the previously solved case labeled 

3. 

(d) IT' ends with an introduction rule instance. This cannot happen because b is an 
atomic formula occurrence. 

(e) II" is atomic. The assumption discharged by a from its leftmost subderivation 
is not atomic, thus it cannot occur in IT" since II" is atomic. Therefore we can 
apply the Wit-red reduction meaning that there is a head-cut at the end of the 
principal branches of IT and we are in the previously solved case labeled 1 . 
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(f) II" ends with an EMi instance and its conclusion is not simple. This cannot 
happen because we assumed that A is simple and b is an occurrence of A. 

5. IT is atomic. In this case one of major premisses of a is atomic, so a cannot be an 
elimination rule instance and must be either an EM i or atomic rule instance. 

• If a is an EMi rule instance then it is redundant: the assumption discharged by a 
from its leftmost subderivation is not atomic, thus it cannot occur in IT since IT 
is atomic whose premisses are atomic formula occurrences. Therefore we can 
apply the Wit-red reduction to a, meaning that there is a head-cut at the end of 
the principal branches of II and thus II satisfies the statement. 

• Otherwise, if a is an atomic rule instance, consider the other subderivations of 
its major premisses. If they are all atomic then II is atomic too and it satisfies the 
statement. Otherwise there is a major premiss of a with a non atomic derivation 
IT'. Then one of the other cases applies with IT' in place of II'. 

6. IT ends with an EMi rule instance /3 and its conclusion is not simple, a cannot be 
an atomic rule instance since one of its premisses is the conclusion of ft which is not 
simple and thus not atomic. If a is an elimination rule instance we can apply the 
E Mi -perm reduction to a and/3. Thus there is a head-cut at the end of the principal 
branches of II, and II satisfies the statement. Otherwise, if a is an EM i rule instance 
then the conclusions of II and IT are occurrences of the same non-simple formula. 
Therefore II again satisfies the statement. 

Since we exhausted all the possible cases we are done. □ 

Our main theorem is now an easy corollary of the previous lemma. 

Theorem 4 (Witness Extraction). Let II be a derivation of a simple formula A in HA + EMi. 
Assume that: 

1. II has no principal branch with a head-cut or a non-normal term; 

2. II contains no free term variable; 

3. II has no open assumptions; 
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Then IT is either atomic or ends with a 31 rule instance. In particular, if IV is closed, normal 
and A is simply existential then II ends with an introduction. 

Proof. The hypotheses rule out most of the cases considered by Lemma 4. The only possible 
cases are: 

1. IT ends with an introduction rule instance, 

2. n is atomic. 

Since A is simple it is either an atomic or existentially quantified formula. If A is atomic, II 
cannot end with an introduction rule instance and thus II must be atomic. Otherwise, if A is 
existentially quantified, II cannot end with an atomic rule instance and thus II must end with 
an introduction rule instance which can only be a 31 rule instance. □ 

By Theorem 3, the reduction of a derivation halts after a finite number of steps and 
produces a derivation without head-cuts. Then, Theorem 4 shows that our proof reduction 
can extract a witness from the derivation of a closed formula 3x. P, which can be found in 
the premise of the 31 rule instance at the end of the normalized derivation, by the definition 
of the 31 rule. 
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Figure 4.2: The Wit-red reduction possible outcomes. 
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Figure 4.3: The permutative reductions of the EMi rule with the AE, VE and — > E rules. 
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Figure 4.4: The permutative reductions of the EMi rule with the VE and BE rules. 
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Chapter 5 

Interpreting a Geometric Example 
with Interactive Realizability 



In this chapter we show how to extract a monotonic learning algorithm from a classical proof 
of a geometric statement by interpreting the proof by means of interactive realizability. 

The statement is about the existence of a convex angle including a finite collections of 
points in the real plane and it is related to the existence of a convex hull. We define real 
numbers as Cauchy sequences of rational numbers, therefore equality and ordering are not 
decidable. While the proof looks superficially constructive, it employs classical reasoning 
to handle undecidable comparisons between real numbers, making the underlying algorithm 
non-effective. 

The interactive realizability interpretation transform the non-effective linear algorithm 
described by the proof into an effective one that uses backtracking to learn from its mistakes. 
The effective algorithm exhibit a "smart" behavior, performing comparisons only up to the 
precision required to prove the final statement. This behavior is not explicitly planned but 
arises from the interactive interpretation of comparisons between Cauchy sequences. 

5.1 Introduction 

We study the computational content of the proof of the following geometric statement. 
Theorem 5 (Convex Angle). We have a finite set of at least three points in the real plane 
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R such that no three points are on the same line. Then there exist distinct points P, Q and R 
such that: 

• all other points S are inside QPR, 

• the angle QPR is convex, that is, less than n. 




We choose this particular statement because we have a proof of it that looks algorithmic 
and can be easily visualized. The Convex Angle Theorem be thought of as weakened version 
of the existence of the convex hull of a finite set of points. 

As we said proof we choose as example looks constructive, using only decidability of 
ordering over real numbers. However, it is well known that there is no effective ordering 
on the real numbers. In our encoding of the real numbers, totality of the ordering on the 
recursive reals is equivalent to EMi. Since the proof needs the ordering to be total, it needs 
EM i . Due to the low logical complexity of excluded middle which is used, the proof may be 
interpreted with a simple case of interactive realizability. 

We show how interactive realizability can be applied and what it can tell us about the 
computational content of the proof. What we get is an algorithm that, instead of comparing 
real numbers, makes an arbitrary guess about which one is smaller. If later it becomes 
apparent that the guess is wrong the algorithm retracts the choice it made since it can now 
make an informed decision about that particular comparison. Then the algorithm performs 
comparisons only when needed and only up to the required precision. 

Thus we see how a simple classical proof which performs comparisons between real 
numbers is interpreted as a learning algorithm which uses "educated guesses" in order to 
avoid non effective operations. This non-trivial behavior is not explicit in the classical proof, 
but follows from the definition of ordering on Cauchy sequences by means of the interactive 
realizability interpretation. 
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In this chapter, our main goal is to showcase interactive realizability and the backtracking 
algorithms it produces through a non-trivial example. For this reason, we chose to present 
interactive realizability as a proof interpretation technique rather than as a realizability se- 
mantics, in order to concentrate on the example and its computational interpretation without 
being bogged down in technical details. 

Note that interactive realizability is by no means the only approach to extract a computa- 
tional interpretation from our proof. It should also be noted that while our proof is classical, 
it can be seen that our statement admits an intuitionistic proof by the conservativity results 
in [8]. 

5.2 Real Numbers 

In this section we present our treatment of real numbers in Heyting Arithmetic. 

There are many ways of encoding integer and rational numbers in HA and defining prim- 
itive recursive operations and predicates on them. In the following we assume that we have 
any such encoding and that we have decidable equality =q and ordering <q, <q and effective 
operations +q -q. We use the variables q and p for rationals. 

5.2.1 Cauchy Sequences 

There are many equivalent ways of defining the real numbers from the rational numbers. 
The most known are the definition of the reals as equivalence classes of Cauchy sequences 
and as Dedekind cuts. We follow the first approach. 

A sequence of rationals r : N — > Q is a Cauchy sequence if the following holds: 

V*. 3*o. V*i,* 2 . |r(* + k 2 ) - r(* + *i)| < - T . (5.1) 

While this sequence approximates a real number, it can do so very slowly. By means of 
classical reasoning, we can show that, from any Cauchy sequence, we can extract a fast- 
converging monotone sub-sequence. For this reason, instead of general Cauchy sequences, 
we can consider sequences of nested intervals with rational extremes whose length decreases 
exponentially. An interval is determined by its extremes, so we represent a sequence of inter- 
vals as a couple of sequences of rationals r~,r + , representing the lower and higher extremes 
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of the intervals respectively. Then we require that r~ is increasing and r + is decreasing 
(since the intervals are nested), that r~(k) is lesser than or equal to r + (k) (since they are the 
lower and higher extremes of a same interval) and their difference is smaller than 2~ k . More 
precisely we say that r" and r + represent a real number when they satisfy the following 
condition, written as a IT^ formula: 

V*. (/■"(*) <q r + (k)) A (/■"(*) <q /■"(* + 1))A 

A (r + (k) >q r + (k + 1)) A (r + (k) - Q r~(k) < Q 2 Hc) ). 

While the choice of the specific definition of real number is somewhat arbitrary, it is signif- 
icant because it affects the logical properties (in particular the degree of undecidability) of 
the ordering on the reals. 

5.2.2 Order Predicate 

Now we can define an "order predicate" OP(r, s, k), which can be thought of as a family of 
strict partial orders on the real numbers indexed by natural number k. More precisely, it is 
a formula that determines when the sequence of nested intervals r is strictly lesser than s, at 
precision k. This happens when, at k, the higher extreme of an interval is strictly greater than 
the lower extreme of the other. Then, from that point forward, the intervals will be forever 
disjoint, since we they are nested sequences. This allows us to write the order predicate as 
the formula: 

OP(r, s, k) = r + (k) < Q s~(k), (5.3) 

which is decidable in r and s. Note that the definition of OP depends on that of real number. 
If we had used the classical definition of Cauchy sequence the order predicate would be the 
following ITj formula: 

OP'(r, s,k) = Vl.l>k^ r(l) <q r(l). (5.4) 

This is very significant for our purposes: the order predicate in (5.3) is decidable in r and s 
(since the order on the rationals is), while in (5.4) it is only negatively decidable. This means 
that we have an effective method to decide (5.4) when it is false, but not when it is true. 
We need OP to satisfy some properties, written as rules in Figure 5.1. The OP-mon 
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Figure 5.1: Rules for OP. 
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rule expresses a monotonicity property: when an comparison at a given precision can dis- 
tinguish two approximations, then comparisons at greater precision should too. The other 
rules correspond to the standard axioms for a strict partial order: irreflexivity, asymmetry 
and transitivity. 

We verify that our definition of OP satisfies these properties. 

Lemma 5. The order predicate OP defined by (5.3) satisfies the properties given in Fig- 
ure 5.1. 

Proof. We show that the properties follow directly from the definition of OP as (5.3) and 
from our representation of real number as sequences of nested intervals (5.2). 

Monotonicity We want to prove that 

OP(r, s,k+l) = r + (k + 1) < Q s~(k + 1), 

assuming that: 

OP(r,s,k) = r + (k)< Q s-(k). 

This follows by applying the transitive property of the order on the rationals to the 
following chain of inequalities: 

r + (k + 1) <q r + (k) since r + is weakly decreasing, 

<q s~(k) by assumption, 

<q s~(k + 1) since s + is weakly increasing. 
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Reflexivity We have to prove that 

OP(r,r,k) = r + (k)<Qr-(k), 

yields a contradiction. This is a consequence of the fact that r~(k) and r + (/c) are re- 
spectively the lower and higher extremes of the same interval. 

Asymmetry The OP-asym is actually derivable by monotonicity and transitivity: 

OP(r, s, k) OP(s, r, I) 



OP-trans 



OP(r, r, k) 
OP-irrefl 



Transitivity We have to prove that 

OP(r,t,k) = r + (k) < Q r(max(/c,Z)), 

follows from the assumptions: 

OP(r,s,k) = r + (k)<qs-(k), 
OP(s,t,l) = s + (l)< Q r(l). 

We have two cases depending on whether max(/c, I) is k or I. Since the two cases are 
very similar, we only show the proof of the first. Thus we assume that max(/c, Z) = k, 
which means that k > k. 

Again this follows applying the transitive property of the order on the rationals to the 
following chain of inequalities: 

r + (k) <q s~(k) by the first assumption, 

<q s + (k) since [s~(k), s~(k)] is an interval, 

<q s + (l) since s + is weakly decreasing and k > I, 

<q t~(l) by the second assumption, 

<q t~(k) since t~ is weakly increasing and k > I. 



Thus, we have: 



r + (k) <q t (max(/c,0). 
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5.2.3 Order and Equality on the Real Numbers 

We can now defined order and equality on the reals. It is noteworthy that, while we define 
order and equality in terms of OP, we never use the definition of OP itself in proving their 
properties. We only need the properties of OP we proved in Lemma 5, thus we could proceed 
in the same way even if we had defined OP differently, as long as Lemma 5 holds. 
They are defined as follows: 

r < R s = 3k. OP(r, s, k), 

r < R s = Wk.^OP(s,r,k), 

ri= R s = 3k. OP(r, s, k) V OP(s, r, k), 

r= R s = Vk. -OP(r, s, k) A -OP(s, r, k). 

Note that < R and + R are E° formulas and <r and - R are IIj formulas. Moreover <r and =r 
are the dual formulas of <r and ^ R respectively, as defined in Section 2. 1.6. 

In order to prove the Least Element Lemma, which is needed in the proof of the Convex 
Angle Theorem, we need to show some of the properties of the order <r. 

Lemma 6 (Reflexivity, Semi-Transitivity and Totality of <r). The following properties hold: 

r <r r (reflexivity) 

r<giAs<iMr<R(, (semi-transitivity) 

r< R sVs< R r. (totality) 

Proof. The first two properties follows from the corresponding properties of OP. The last is 
a classical tautology. 

• In order to prove reflexivity we have to show that: 

r< R r = Wk.^OP(r,r,k). 

This follows by the OP-irrefl rule: 

[OP(r,r,k)] a 
OP-irrefl - — 



^ t ± a 

VI v 

Vk.-*OP(r,r,k) 
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• In order to prove this transitive property for mixed <r and <r we have to show that: 

r < R t = Vk. -iOP(t,r,k), 

assuming that: 

r < R s = 3k. OP(r, s, k), 
s < R t = Vk.->OP(t,s,k). 

This follows by means of the OP-trans rule: 

WT7 Vk.^OP(t,s,k) [OPfcr,*)] 1 [OP(r,s,k)] 2 

VE — ^r^r- „ ,,, OP-trans 



3E ^^_ 



nOP(f,j,max(Jfe,/)) OP(f,j,max(fc,/)) 

E ; 



"? * ^OP(t,r,k) 1 
VJk. -.OP(r,r,*) 

• We have to show that: 

r < R 5 V s < R r = VA:. -.OPO, r, A) V 3A. OP(r, s, A), 
which is an instance of EMi when r and s denote recursive real numbers. □ 

The proof is constructive apart from the last point, where we show that totality is actually 
an instance of EMi. Note that only the reflexivity property is stated in the standard way, 
while transitivity and totality are written in non-standard forms. We chose these forms for 
two reasons: they are easier to prove and they are the exact form we need in the proof of the 
Least Element Lemma. 

5.2.4 Variables for Real Numbers 

Until now we have used r, s and t as metavariables for real numbers in an informal way. 
However, since we are working in the first-order language of arithmetic, our variables range 
only on natural numbers and not on functions. For our example we only need to address 
a finite but arbitrary number of real numbers, that is, we only need a countable quantity of 
them. Thus we can assume that we have a countable set of function symbols indexed by the 
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natural numbers. These function symbols represent sequences of rational numbers satisfying 
some notion of convergence. 

In the case we are considering, where real numbers are represented with sequences of 
nested intervals satisfying the convergence condition (5.2), we proceed as follows. We as- 
sume that we have two sequences of indexed function symbols: 

/o > • • • ' fn > • • • an d /o > • • • > f n > • • • 

such that, for any index n, f„ and f~ satisfy the convergence condition (5.2). Then we can 
formally define the order predicate as: 

op(u*) = y; + (*)<Q fj(k\ 

where i and j are metavariables for arithmetic terms. Thus, when we write i < j, we mean 
that i is smaller than s as indexes, that is, as natural numbers; on the other hand, when we 
write i <r j, we mean that the real number indexed by i is smaller than the one indexed by 

j- 

However this notation, while formally correct, is hard to read: i < j and i <r j look 
confusingly similar while having unrelated meaning. In order to avoid confusion and hurting 
the eyes of mathematicians, we sugar coat our syntax. We write r,- instead of i when thinking 
of i as a real number. For instance we write r,- <r rj instead of i <r j. The last one is a much 
more intuitive than the unsugared version. 

5.2.5 The Least Element Lemma 

Now we can reason about finite sets of real numbers as sets of indexes. In the next lemma, we 
shall work with the sets of real numbers indexed by initial segments of the natural numbers. 
We show the existence of a least element in each of these sets. The least element is actually a 
minimum, that is, the unique least element of the set. However, in order to prove the Convex 
Angle Theorem we do not need to show its uniqueness, just its existence. 

Lemma 7 (Least Element). For any n, the real numbers ro,...,r n have a least element with 
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respect to <r. More precisely: l 

Vn. 3/ < n. V/ < n. r,- <r r,-. 

Proof. We proceed by induction on n. 

Zero case In the base case n - and we have to prove that: 

3/ < 0. Vj < 0. r,- < R rj. 

Both / and j can only be 0; thus we just have to check the condition ro <r r$, which 
holds by reflexivity of <r. 

Successor case In the inductive case we have to prove that: 

3i < n + 1. Vy < n + 1. r, <r ry, 

from the inductive hypothesis: 

3/ < n. Vj < n. ri <r rj. 

By the inductive hypothesis, let i < n be the index of the least element in ro, . . . , r n . 
By totality of <r we have two cases. 

r\ <r r„+i Then i is the index of a least element in ro, . . . , r„ + i, since r- <r r 7 when 
j - n + 1 (since we are considering this case) and when j < n by inductive 
hypothesis. 

r n +i <r t*i Then n + 1 is the index of a least element in ro, . . . , r„ + i, since r n+ i <r r ; - 
when j = n + 1 by reflexivity of <r and when j < n by transitivity of <r and <r, 
since: 

r n +l <R n ^R 0' 
by inductive hypothesis. n 



1 We use the standard compact notation for bounded quantifications: 

V_/ < n. A stands for Vj. j < n — > A, 
3j < n.A stands for 3/ j < n /\A. 
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The proof looks constructive: its computational interpretation is the usual algorithm that 
finds the least element in a vector, by a simple recursion or by looping on its elements. We 
can write it as a recursive function "rmin" in Haskell: 

Listing 5.1: The Least Element Program 

rmin ® = ® 

rmin n = if rle (rmin (n-1)) n 

then rmin (n-1) 

else n 

where "rle" is a boolean function that stands for <r, that is, it compares the reals indexed 
by its arguments. The problem is that this is not a good program, because we are unable to 
write "rle" as a terminating program. The closest approximation would be the following 
unfounded recursion: 

Listing 5.2: The Lesser or Equal Program 

rle i j = rle_urec © i j 
rle_urec k i j = if op j i k 

then False 

else rle_urec (k+1) i j 

where "op" is a total boolean function that stands for the order predicate OP. We can assume 
that "op" terminates for any input since OP is decidable. The problem is that <r is total 
only classically. More precisely, totality is an instance of EMi because <r is a IT] 1 formula 
and thus negatively decidable. This can bee seen concretely in the program for "rle": 
"rle i j" only halts (returning "False") if "op j i k" is true for some k, that is, if and 
only if r, < rj is false. On the other hand, when r,- < rj is true there is no such k and 
the evaluation of "rle i j" will never halt. Note that "True" does not even occur in the 
program, so its is clear that "rle i j" never returns "True". This is the general behavior 
of an algorithm that computes a negatively decidable predicate: when the predicate is false 
it halt with the correct answer and when the predicate is true it does not halt. 

For positively decidable predicates we have the dual behavior. For instance, in the case 
of <r which is defined by a Ej formula and thus positively decidable, the decision procedure 
can be written as: 
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Listing 5.3: The Lesser Than Program 

rlt i j = rlt_urec i j 
rlt_urec k i j = if op i j k 

then True 

else rlt_urec (k+1) i j 

The program is very similar to the previous one, the only noteworthy changes are the order 
of the argument given to "op" and the fact that the only possible return value is "True" 
instead of "False". It only halts (returning "True") if "op i j k" is true for some k, that 
is, when r r < rj is true. 

Remark 3. Note how Program 5. 1 is much shorter than the proof of the Least Element 
Lemma. This difference would be even bigger if the proof was written in a completely formal 
language, for instance in a proof assistant. The reason for this discrepancy is that the proof 
contains both the algorithm written in Program 5.1 and the evidence for the correctness of 
the algorithm. This last part is missing from Program 5.1, thus explaining the difference in 
length. 

5.3 The Interactive Interpretation of the Least Element Lemma 

We have seen why the naive way of extracting a program from proofs fails in the case of 
the Least Element Lemma. Now we give the interactive interpretation of the Least Element 
Lemma. Since we are working in HA + EM], any proof can be thought of as a construc- 
tive proof with open assumptions, that are the instances of EMi that are used in the proof. 
The interactive realizability interpretation follows the standard BHK interpretation for the 
constructive parts, so we will concentrate on the interpretation of the EMi instances. 
The only instances of EMi in the proof are those used to deduce the totality property: 

n < R rj V rj < R r t . (5.5) 

The left disjunct, which we call the universal disjunct, is n^' and negatively decidable, while 
the right one, the existential disjunct is H® and positively decidable. Moreover universal 
disjunct and negation of the existential disjunct are classically equivalent. We say that a 
formula is concrete when it is closed and all its arithmetical terms are normal. 
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In order to motivate the interactive realizability interpretation we show why a naive at- 
tempt to give a computational behavior an EMi instance fails. This can be seen concretely, 
by recalling the semi-effective procedures Programs 5.2 and 5.3 that decide the disjuncts of 
the instances of EMi representing the totality, but the general argument is the same. The 
universal disjunct is negatively decidable, that is, its deciding program halts if and only if 
it is false; the existential disjunct is positively decidable, that is, its deciding program halts 
if and only if it is true. What happens if we run these two decision programs in parallel? 
Can one give the answer whenever the other fails? In recursion theory, this method is used 
for instance to prove that if the complement of a recursively enumerable set is recursively 
enumerable then the set is recursive. Unfortunately this does not work in our case. We have 
two scenarios: 

• If the existential disjunct is true, its decision procedure halts and returns true. Since 
in this case the universal disjunct is false, its decision procedure also halts and returns 
false. 

• If the universal disjunct is true, its decision procedure does not halt. Since in this case 
the existential disjunct is false, its decision procedure does not halt either. 

The problem lies in the fact that the disjuncts are dual and their decision procedures describe 
basically the same algorithm with minor variations. In particular they halt or fail to halt 
on the same inputs. This is evident when considering the programs given in Programs 5.2 
and 5.3. 

Interactive realizability proposes a way to side-step the problem evidenced above. This 
is possible since it is not true that the computational interpretation of a proof using instances 
of EMi necessarily needs to decide these instances. Consider the case of totality of the order 
on the real numbers. The universal disjunct is: 

r i <*.r j = Vk.-QiPO'j,r i ,k). 

Being an universally quantified statement, it proves infinite instances -iOP(r j5 r,-, k), one for 
each natural number k. A proof that uses totality may need all this infinite information or 
(for example, when proving a simply existential statement) may only need a finite quantity 
of these instances. In the second case, we can avoid the problem of effectively deciding the 



96 Chapter 5. Interpreting a Geometric Example with Interactive Realizability 

EMi instance. We only need to decide those instances that are actually used in the proof. 
This is possible, since each instance is decidable (being a quantifier free formula) and we 
assumed there is a finite quantity of them. Interactive realizability takes advantage of this 
fact and gives a procedure to determine which instances of the universal disjunct are needed 
and to iteratively decide them. 

The interactive interpretation is a "relaxation" of the BHK interpretation. In the BHK 
interpretation the decision of a disjunction effectively selects a true disjunct, in the interactive 
case instead of a decision we have a sort of "educated guess". Therefore, while EMi cannot 
be realized by the BHK interpretation since there is no effective procedure to decide it, the 
interactive interpretation can because it yields a weaker semantics, which produces a sure 
result only when the goal is simply existential. 

Interactive realizability revolves around the concept of knowledge state. A knowledge 
state, or simply state, is a finite object that stores information about the EMi instances we 
use in the proof. The purpose of this information is help us decide the EMi instances, that 
is, help us in choosing which disjunct holds. Moreover, whenever the state chooses the 
existential disjunct, it should also produce a witness, like in the BHK interpretation. 

We can represent a state as a finite partial function 2 that maps a concrete instance of 
EMi into a witness of its existential disjunct. Such a function decides or guesses a concrete 
instance A of EMi: if it is undefined on A, then we choose the universal disjunct; if it is 
defined we chose the existential disjunct with the returned witness. We are only interested to 
the instances appearing in the proof, namely, those of the form (5.5) when i, j are numerals. 
Thus an instance is determined by two natural numbers; since witnesses are natural numbers 
too, a state can be concretely defined as a finite partial function from N x N to N. 

For instance, consider the case of the EMi instances used in the proof of the Least Ele- 
ment Lemma. When we have to decide (5.5), we check the state on the pair (i, j). At first, 
let us assume that the state is undefined on (/, j). This means we have no knowledge about 
the universal disjunct r,- <r rj. Since we cannot effectively check that the universal disjunct 
holds, we make an educated guess and assume that r,- <r rj is true. Clearly this assumption 
could very well be wrong, which may or may not become apparent later in the proof. Keep- 
ing track of this assumption, we carry on with the proof. Every time we use this assumption 



2 By finite partial function, we mean a partial function whose domain (the set of elements where it is defined) 
is finite. 
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to prove a decidable instance of its we check if the instance holds. More concretely, if later 
in the proof we use the assumption r, <r rj to deduce that ->OP(j, i, k) for some k, we check 
that -iOP(j, i,k) holds. If this is the case, we carry on with the proof: r, <r r,- could still 
be false, but at least the particular instance we are using is true. If this is not the case, we 
have found a counterexample to the assumption r,- <r ry. being negatively decidable, the 
counterexample is enough to effectively decide that it is false. Therefore we stop following 
the proof because we have chosen the wrong disjunct in the EMi instance (5.5). 

Moreover, a counterexample to r,- <r r/ is a natural number k such that OP(j, i, k). 
Therefore k is a witness for the existential disjunct rj <r r,-. We can use this new knowledge 
to add (i, j) to the domain of the state with value k. Remember that we assumed the state to 
be undefined on (i, j), which is why we assumed the universal disjunct to be true in the first 
place. 

At this point, we forget what we did after guessing (wrongly) that the universal disjunct 
was true and start again, More precisely, we need to backtrack to a computation state before 
we decided the EMi instance in question and repeat our decision with the extended state. 
Since the extended state is defined on (i, j) and yields k, this time we decide the EMi instance 
differently: we choose the existential disjunct rj <r r,- with k as witness. Now we are sure 
that our choice is the correct one and not a guess, since we have effectively decided that the 
existential disjunct holds (we can since it is positively decidable). 

The exact point we need to backtrack to is not relevant, as long as it is before the decision 
of the EMi instance. A simple choice would be the very beginning, in which case we do not 
need to keep track of where we decided the EMi instance. A more efficient choice is right 
before the decision point, so that we do not need to repeat the computations before it, which 
do not change. 

In order for the interactive interpretation to produce correct results, we need to assume 
that the state is sound, that is, when it is defined, the witness it yields is actually a witness. 
More formally, a state s is sound if, for any pair (i, j), we have that OP(j, i, s(i, j)) holds. This 
assumption is not problematic: the empty state, namely the state that is always undefined, 
satisfies it vacuously. Moreover, note that in the interactive interpretation we outlined above, 
we only extend a state with an actual witness. In other words, the extension preserves the 
soundness property. 

To summarize, the general procedure is the following: 
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1. we start from any sound state (usually the empty state), 

2. we follow the proof choosing any EMi instance according to the state, 

3. if we discover that we wrongly assumed the universal disjunct of an EMi instance: 

(a) we extend the state with the counterexample we found, 

(b) we backtrack to a point before the EMi instance we guessed wrong, 

(c) we proceed as in step 2, 

4. if we never discover that we wrongly assumed an universal disjunct we carry on until 
the end of the proof and we are done. 

Interactive realizability can be thought as a "smart", albeit "partial", decision algorithm 
for negatively decidable statements. This can be seen comparing it with the naive algorithm 
given in Program 5.2. It is partial because a real decision is impossible, so it only considers 
a finite number of instances, unlike the unbounded recursion employed by Program 5.2. It 
is smart because it does not perform a blind search, trying in order all the natural numbers. 
Instead it uses the proof itself to find the counterexamples. There is a reasonable expectation 
that the ideas underlying the proof provide a more focused way of selecting counterexamples 
than a blind search (this of course depends on the proof itself). 

Until now we considered a single instance of the EMi axiom, but little changes if there is 
more than one. We will return to this point later. In the proof of the Least Element Lemma, 
one instance of EMi is used for each inductive step in the proof. When we interpret the 
proof with the empty state, for each of these instances we assume that the universal disjunct 
holds. Therefore the proof is interpreted as follows. In the base step we choose ro. In the 
first inductive step, we have to decide the EMi instance: 

r <r r\ V r\ < R r . 

Since the state is empty, we assume that ro <r r\ . Thus we keep ro as the least element of 
ro, n. In the second inductive step, we have to decide the EM i instance: 

'"O ^R r 2 V r 2 <r r . 



5.3. The Interactive Interpretation of the Least Element Lemma 99 

Since the state is empty, we again assume that ro <r ri. Thus we keep r$ as the least element 
of ro, r\,ri. At the end of the proof, we have assumed the following universal disjuncts: 

r < R r\, r < R r 2 , . . . , r <r r„. (5.6) 

Under these assumptions, we have found that the least element is ro. Rather disappointing, 
isn't it? 

The reason for this is that the universal disjuncts r, <r rj are never instanced, so we have 
neither opportunity or reason to falsify one of them. However this may change if the Least 
Element Lemma is used inside a bigger proof. This will happen later in the proof of the 
Convex Angle Theorem. In this case the outer proof might instance these assumptions and 
discover them wrong, in which case we have to backtrack to the proof of the Least Element 
Lemma. 

Let us see how the Least Element Lemma behaves when its conclusion is used to deduce 
decidable instances. Assume that n = 5. If the state is empty, then the Least Element Lemma 
tells us that ro is a least element. This means that ro <r r, for any i. Imagine that we use 
the Least Element Lemma in a bigger proof to prove that ro <r rj,. This is one of the EMi 
instances we assumed in (5.6). Moreover, imagine that, using this assumption, we discover 
that ro <r r-x, does not hold at precision 33. Then we have to extend the domain of the state 
to (0, 3) with value 33. At this point we backtrack, say at the beginning of the proof of the 
Least Element Lemma. 

We again start from ro and proceed like before. The first and second inductive steps 
again select r<) as the least element, assuming that ro <r r\ and ro <r r%. Things change 
at the third inductive step when we have to decide ro <r r-$ V r-$ <r ro. Since know the 
state has a relevant witness, this time we choose the existential disjunct with witness 33, 
thus selecting r^ as the new least element. In the next inductive steps we again assume the 
universal disjuncts r$ <r r\ and r$ <r rs, since the state has no information on them. Thus 
our the least element is r$. A summary of our decisions is represented in Figure 5.2. Imagine 
that we were to discover a counterexample to rj, <r ri, say at precision 25. This statement is 
not one of the universal disjuncts that we assumed. By looking at the proof or at Figure 5.2, 
we can see that it has been deduced by the semi-transitivity property from r^ <r ro and 
ro <r ri- The first is the existential disjunct for which we found a witness, so we are sure 
that it holds. Thus the the wrong assumption is ro <r r%. By checking the proof of semi- 
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Figure 5.2: A graph representing the result of the least element computation. Full arrows repre- 
sent information provided by the state, dotted arrows "guessed" information the state knows nothing 
about. 

ro ■■ > n 



transitivity we can see that the counterexample for r<) <r ri is max(25, 33), thus 33 again. 
We extend the state accordingly and repeat the least element computation, which results in 
new least element r%. In Figure 5.3 we summarize the iterations we saw until now and add 
some more, as an example. 

5.3.1 Backtracking, Termination and Complexity 

In the iterations listed in Figure 5.3, we compute the following sequence of least element 
candidates: 

n),r 3 ,r 2 ,r 3 ,ri,r 4 . 

The fact that r 3 appears two times may cause doubts regarding the termination of the back- 
tracking algorithm. The termination of the backtracking algorithms in interactive realizabil- 
ity has been proven in general, see Theorem 2.15 in [2], 

In this particular case we can understand why r 3 is computed two times by taking a 
closer look at the tree of the possible computations of the least element, which is shown in 
Figure 5.4. For reasons of space, we only show the tree for n = 3, which is enough to see 
what happens up to the fifth iteration in Figure 5.3. We can see that the first five iterations 
in Figure 5.3 correspond to the computation paths ending with the first five leaves from the 
left in Figure 5.4, in order. 

Moreover, from the computation tree we can see that we never perform the same compu- 
tation more than once. Indeed, assume we have just followed a particular computation path. 
When we backtrack we increment the state adding a witness of one of the EMi instances 
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Figure 5.3: An example of evaluations of the interactive interpretation of the Least Element Lemma 
with state extensions. 
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Iter: the iteration represented by the current row; State: the existential disjuncts witnessed by the 
state; Least element: the least element yielded by the Least Element Lemma; Used: a falsifiable 
consequence of the Least Element Lemma used in the proof; Deduced from: what we deduced the 
falsifiable consequence from; Discovered: the existential assumption we found a witness of. 



we encountered along the path, an instance we did not have a witness for. This means that 
in the next computation, when we arrive at the node corresponding to that EMi instance, 
instead of taking the left path as we did previously (since the state did not have a witness 
for that instance), we take the right path, because this time we do have a witness (since we 
just extended the state with it). Therefore, each time we backtrack, the computation path 
ends with a leaf that is more to the right in Figure 5.4. This gives a bound to the number of 
backtrackings, namely 2" — 1. 

This is very different from what one could expect by a superficial look at the proof of 
the Least Element Lemma. Indeed, if we ignore the undecidability of the order on the reals, 



102 Chapter 5. Interpreting a Geometric Example with Interactive Realizability 

Figure 5.4: The computation tree of the least element for n — 3 






ro <r r 2 \r 2 <r r \ 

7 \T^ 

ro r 2 



ro <R r y |r 3 < R r \ \r 2 <r r 3 : |r 3 < R r 2 \ \r\ < R r 3 : |r 3 <r n| :r 2 <r r 3 : |r 3 < R r 2 



r r 3 r 2 r 3 n r 3 r 2 r 3 

Each path represents a possible computation, proceeding from root to leaf, where non-leaf nodes are 
the current least element candidates and the leaf is the final result. Each branching corresponds to 
an EMi instance, where the left branch is taken when we guess that the universal disjunct holds for 
lack of information and the right branch is taken when the state contains the relevant witness. 

this simple and very natural proof seems to be quite efficient, since its complexity is linear 
in n. However, its interactive interpretation has exponential complexity This can be seen in 
the computation tree too: a single computation correspond to a path and paths have length 
n. On the other hand, since we have backtracking, in the worst case we may have to perform 
every possible computation. Naturally, the real situation is different since the order on the 
reals is undecidable and thus an actual comparison is impossible. 

Moreover, while in the worst case the interactive interpretation needs a time that is expo- 
nential in n, in general it is hard to estimate the amount of backtracking that will be actually 
performed, for two different reasons. 

• The first one is that the actual order of ro, . . . , r n affects heavily the operation of the 
algorithm. Indeed, assume that ro is the least element: the interactive interpretation 
only performs n dummy comparisons and immediately returns a least element candi- 
date that, in this case, is the actual least element, so no backtracking can ensue later. 

• The second reason is that the backtracking is controlled by how the least element can- 
didate returned by the interactive interpretation is used. It is possible for the interactive 



5.3. The Interactive Interpretation of the Least Element Lemma 103 

interpretation to return a candidate that is not a least element, but such that its use in an 
outer proof is does not cause backtracking. In other words, we only need to compute 
a least element candidate that is good enough instead of the correct one and this can 
translate to a faster computation, again depending on the situation. 



In a sense, the second reason explains also how the interactive interpretation is effective even 
if an certainly correct least element cannot be found effectively. 



5.3.2 The Whole Proof Is Relevant 

In Remark 3, we said that proofs contains both an algorithm (which may be trivial if no 
information is being computed) and the proof of its correctness. This is also the case when 
we consider the computational content of a proof in the BHK interpretation: we can separate 
the part that computes values and such (the informative computation) from the part that 
computes the evidence showing that the values are correct (the correctness computation). 
The correctness computation does not affect the result of the informative computation and 
can be safely discarded when we are only interested in algorithm extraction. 

This is not the case for the computational content in the interactive interpretation. Here 
the correctness part of the computation affects the backtracking, which affects the state, 
which in turn affects the informative part of computation and thus the computed values. 
Therefore, in interactive realizability both parts of the proof interact to produce the final 
result. 

We have already seen an example of this interaction. In the second iteration we chose r^ 
as the least element and then we tried to instance rj, <r ri. Then we realized that r^ <r r-i is 
false and that we had made a wrong assumption somewhere. However rj <r ri is not one of 
the universal disjunct which we assumed by lack of information. Therefore we have to look 
at the proof in order to find out which universal disjuncts we needed to deduce r^ <r ri and 
to compute the witness which we need to extend the state. This shows that in the interactive 
interpretation we cannot forget how we proved the correctness of our computations. 
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5.4 The Real Plane 

In this section we introduce the real plane, points, lines and some relations between them. 
We use elementary analytic geometry: points are represented by coordinates, lines by equa- 
tions and proofs are mostly computations with real numbers. 

We represent a point as a pair of real numbers, its coordinates. Formally we can say that 
a point is just a natural number i and that there is a primitive recursive function mapping in- 
dexes into pairs of real numbers. As we did for real numbers, in order to improve readability 
we add some sugar to the notation and use the metavariables P, Q, R, S for arithmetic terms 
used as indexes of points. When we use the index of a point both as a number and as a point, 
we write it as i in the first case and as P, in the second. We write the coordinates of a point 
P as (xp,yp) and of a point P, as (xi,yi). 

A line passing through two points PQ is written as PQ. The order of the points induces 
an orientation on the line. 

Before proceeding we need to introduce further infrastructure for the real numbers. 

5.4.1 Operations on Real Numbers 

Any rational number q can be embedded in our coding of the real numbers: indeed we can 
represent ^asa real number by taking the nested interval sequence with the lower and higher 
extremes constantly equal to q. In particular we assume that there is an index Or such that 
/ + and f~ are constantly zero. 

We need to introduce the addition, subtraction and multiplication operations on the reals. 
In order to do this formally, we need to assume that for each pair of indexes / and j of real 
numbers, there is an index k which correspond to the nested interval sequence that is the 
result of their sum, difference or product. Again, instead of writing the index k, we use the 
usual syntax r,- +r rj for the sum, r ( -r rj for the difference and r,- -r rj for the product. 

Now we define the actual sequences that represent the result of each operation and show 
that they satisfy the real number condition (5.2). 

We define addition on the nested interval sequences as: 

( n + R rj )\k) = r?(k + 1) +q r](k + 1), 
(n +r rjTik) = rr(k + 1) + Q r](k + 1). 
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It is immediate to check that the the sequences are a sequence of nested intervals; we only 
check that they converge with the required speed, which is the condition that requires the 
use of k + 1 in the previous definition: 

in +r rj) + (k) - Q (r t + R rjf{k) =q 
=q (r+(Zc + 1) +q r + j(k + 1)) -q (rj(k + 1) +q rj(k + 1)) = Q 
=q (rf(k + 1) - Q r~(k + 1)) + Q (rj(k + 1) - Q r](k + 1)) <q 

<Q I +Q I =Q I . 

We can define the difference by combining the sum and the opposite, which is defined as: 

(-r) + (k) = - Q r-(k), 
(-r)-(k) = - Q r + (k). 

Defining the product is slightly more complicated. For simplicity we only show the case 
when the extreme of the intervals are always positive. 

So let r + , r7, r + and r~ be sequences of positive rational numbers. We define their 
product as: 

(n -R rj)\k) = rl(l) .q r]{l), 
in -r rj)'(k) = r~(l) - Q r~j(l), 

where Z depends on k. In order to determine Z we consider the convergence condition and 
look for the smallest Z that satisfies it: 

(n -r rj) + (k) - Q (n . R ry)-(^) < Q 2"*. 

We begin by finding a simple upper bound for the left-hand side: 

in -r rj) + (k) -q (r, - R r ; -)"(^) =q 
=Q >f (0 -Q + (0 "Q rj(l) -q rj(/) = Q 
=Q >f (0 -q r 7 + (/) - Q rj-(/) .q r J(/) - Q r+CO - Q r](l) + Q r ; + (/) - Q rj(/) = Q 

=Q rt(l) -q (r|(/) - Q r"(/)) + Q r"(Z) - Q {r]{l) - Q rj(/)) < Q 
< Q rf(l)2-< + Q rJ(/)2- / = Q #(/) + Q rT(Z))2"'. 
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Thus the convergence condition is satisfied when: 

(r, + (Z) + Q rj (Z))2-' < Q T k . 
We define k as the smallest natural number satisfying the previous inequality. 

5.4.2 The Left and Right Predicates 

In order to write the formal statement of the Convex Angle Theorem, we need a way to 
determine the position of a point with respect to a line. 

First of all consider two points P and Q. We can write the equation that a point R has to 
satisfy to be on the line going through them: 

(x Q - x P )(y R - y P ) - (x R - x P )(y Q - y P ) = R R . (5.7) 

If the left-hand side is zero then R is on the same line with P and Q. When left-hand side is 
not zero, we can use its sign to distinguish which side of PQ R is on. We call these sides left 
and right. We write left(P, Q,R) (resp. right(P, Q,R)) and we say that R is to the left (resp. 
right) of the line passing through the points P and Q when 

left(P, Q,R) = (x Q - x P )(y R - y P ) - (x R - x P )(y Q - y P ) > R Or, 
right(P, Q, R) = (x Q - x P )(y R - y P ) - (x R - x P )(y Q - y P ) < R R , 

as seen in Figure 5.5. A few remarks on this definition: 

• left and right are positively decidable, since they are defined by means of < R ; 

• since the definitions of left and right are almost the same and only the direction of the 
inequality changes, R is to the left of PQ if and only if Q is to the right of PQ; 

• the left side of PQ corresponds to the right side of QP and the other way around, so 
the order of the points is significant; 

• the left-hand side of (5.7) can also be thought as the scalar product of (— (yg —yp), xq - 
xp), the orthogonal of the vector from P to Q, and (x R - xp,y R - yp), the vector from 
PtoR. 

We say that P is above Q Hyp > R yg and that R is below Q when y R < R yg. 
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Figure 5.5: R is to the left of PQ. 




5.5 The Geometric Part of the Proof 



Now we are ready to present the rest of the proof of the main statement. We divide the proof 
in two parts, the first given as a lemma. Since these proofs are more complex, for reason of 
readability and space we will not be as formal as we have we have been until now. 

From this point onward we assume that no three points are on the same line, formally: 



VP, Q, R. left(P, Q, R) v right(P, Q, R). 



(5.8) 



This a strong assumption, even more so because we require this to hold constructively: since 
left and right are lP { formulas defined with <r, we assume that we have an effective map 
that given three points yields the precision we need to reach in order to check that R is not 
on the line PQ. In other words, we are assuming that we have a procedure that effectively 
decides instances of the left and right predicates. The effective computation we extract uses 
this procedure as a parameter. 

A further consequence is that all points must be distinct: when xp =r xq and yp =r jq, 
the left-hand side in (5.7) is always zero for any R. 

In the next lemma the points Qo, Q\, Qi are three generic points, that is, Qi is not nec- 
essarily the point indexed by the natural number i. Moreover we assume that the index i in 
Qi is interpreted up to congruence modulo 3 and thus always falls in {0, 1,2}. For instance, 
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when we write Q4, we actually mean Q\. We write the coordinates of Qi as (xi,yi), with the 
same conventions for the index. We prove that when three points are one to the left of the 
other with respect to a central one, one of them is necessarily lower than the central point, 
as shown in Figure 5.6. 

Lemma 8 (Three points). Assume (5.8) and let P, <2o, <2i and Q2 be four points in the real 
plane such that Qt + \ is to the left (resp. right) of PQifor any i < 3. Then at least one of 
2o> <2i> Ql is strictly below P. Formally: 

V/ 5 , <2o, Qi, Qi. (Vi < 3. left(P, Q u Q i+l )) -» 3i < 3. y t < R y P . 
Figure 5.6: The three points lemma when Q2 is the point below P. 



Classical proof. Without loss of generality we can assume that the coordinates of P are 
(Or, Or). Then, unfolding the definition of left, the hypothesis on the points can be written 

as: 

Vj < 3. xiyi+i - Xi+iyi >r Or, 

The first step is showing that there at least two points whose vertical coordinate is not zero. 
This follows from the fact that if, for some i < 3, v,- = Or then y,-+i + Or and y,-_i + Or. This 
is the case since if y,- = Or then 

Xi-iyi - xiyi-x = -xm-i >R Or. 
xiyt+i ~ Xi+m = xm+i >R Or, 

and then y,+i + Or and y,_i + Or. Then we can assume that y, + i and y,_i are not zero. If 
either of them is negative we can conclude. 
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Otherwise they are both positive. We show that, in this case, y; is negative. By hypothesis 
we know that: 

Xi-m ~ Xffi-i > R Or, 

xm+i - Xi+iyt > R Or. 
Since y,- + i and y^\ are positive we can multiply the previous inequalities: 

yi+\(xi-iyt - Xiyi-i) > R Or, 
yi-i(xiy M - Xi+iyd >r Or. 

By adding them together we get: 

yfai-iyt+i - Xi+iyi-i) > 0. 

Since the term in parenthesis is negative by hypothesis, yi must be too. Since Q, R and S are 
to the right of each other with respect to P if and only if S , R and Q are to the left of each 
other with respect to P, the proof for right is basically the same. □ 

The previous proof can be made constructive. Since the proofs are very similar, we give 
the intuitionistic proof without explaining the how we obtained it from the classical one. The 
main difference is that, in the intuitionistic proof, we work directly on the rational intervals 
approximating the coordinates of the points and thus we use rational arithmetic which is 
decidable. For any precision/:, let X,-(fc) and F,(&) be the closed rational intervals [x~(k), x + ] 
and \yj(k),yt] respectively. We write qi e X{(k) as a compact notation for xj <q x,- A x,- <q 
x + . 

Intuitionistic proof. Without loss of generality we can assume that the coordinates of P are 
(Or, Or). Then, unfolding the definition of left, the hypothesis on the points can be written 

as: 

Vi < 3. x(y M - Xi+iyi >r Or. 

By unfolding the definition of real numbers as sequences of nested intervals and these of the 
operations on real numbers, we can compute some precision k such that: 

V/ < 3. Vq t e X,ik),y t € Yi(k),q M e X M (k),y M e Y M (k). q{y M - q M y t >q 0q. (5.9) 



110 Chapter 5. Interpreting a Geometric Example with Interactive Realizability 

The first step is showing that there at least two points whose vertical coordinate is not zero. 
In order to show this, assume that for some i < 3 we have 0q € Y{(k). Then we can take 
Pi - 0q in (5.9), for i - 1 and i: 

Vqi-l € Xi-i(k),qi € X t (k),pi-i € F;-i(fc). qi-ipt - qipi-i = -qiPi-i >Q 0q, 
Vq t € Xi(k),q i+ i e X i+ \(k),pi+\ e Y i+ i(k). qt-ipt - qiPi-iqtpt+i - qi+ipi = qtPi+i >q 0q. 

Therefore, for j e {i - 1, i + 1}, 0q g Yj(k) and, since Yj(k) is an interval, it must be either 
completely positive or completely negative, namely, either xT >q 0q or x + <q 0q. If either 
one is completely negative then we have the conclusion. 

Otherwise they are both completely positive and we show that, in this case, Y{(k) is 
completely negative. For all qj e Xj(k) and all pj e Yj(k) with j e {0, 1,2}; we know by 
hypothesis that: 

qi-\Pi - qiPi~\ >q 0q, 
qtPi+i - qi+iPi >q 0q. 

Since p i+ i and p^\ are positive we can multiply the previous inequalities: 

Pi+i(qi~iPi - qtPi-i) >q 0q, 
Pi-i(qtPi+i ~ qt+iPi) >Q 0q. 
By adding them together we get: 

Piiqi-iPM ~ qi+iPi-i) >Q 0q. 

Since the term in parenthesis is negative by hypothesis, pi must be too, for all pi e F,-. 

Since Q, R and S are to the right of each other with respect to P if and only if S , R and 
Q are to the left of each other with respect to P, the proof for right is basically the same. □ 

We can now prove the main statement. 

Theorem 6 (Convex Angle). Assume (5.8). For any n > 1, we can select three points P, Q 
and Rfrom {Pq, . . . , P n \ such that all the remaining points fall in the angle QPR, that is, all 
points are to the left ofPQ and to the right of PR. 

Vra > 2. 3i, j, k < n. VZ <n.l * i A (I * j -> left(P,-, Pj, Pi)) A(l±k^> right(P,-, P k , Pi)). 
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Classical proof. Let P be the point with the least vertical coordinate and choose other two 
points Q' and R', which are our candidates for Q and R respectively. We want all points 
except P to be to the left of PQ and to the right of PR. If Q' is to the left of PR', we swap 
Q' and R' . Thus we know that Q' is to the right of PR' and R' is to the left of PQ' . 
Now consider any point 5 except P, Q' and R' . We have four cases: 

• If S is to the left of PQ' and if it is to the right of PR', then we keep Q' and R' as 
candidates for Q and R. 

• If S is to the right of PQ', then we choose S as the new candidate for Q. 



Clearly Q' is to the left of PS . Moreover, any other point S', which we already 
checked to be to the left of PQ', is to the left of PS too. This is a consequence of (5.8) 
and Lemma 8. 

Indeed, from (5.8), we know that S' is either to the left or to the right of PS . We 
already know that S is to the right of PQ' and Q' is to the right of PS'. If 5" were 
to the right of PS , then by Lemma 8, one of Q', S or S ' would have be strictly lower 
than P which would be a contradiction, since P is the lowest point. Thus S ' is to the 
left of PS. 

Symmetrically, if S is to the left of PR' , then we choose S as the new candidate for R. 

We shot that S cannot be to the right of PQ' and to the left of PR': 



If this were the case, Q' would be to the left of PS and S would be to the left of PR' . 
Since we know that R' is to the left of PQ' , by Lemma 8, one of S , Q' or R' would be 
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strictly lower than P. This is a contradiction, since P is the lowest point by the Least 
Element Lemma. 

We repeat this procedure for all the points except P, Q' and R' and we find the required 
points Q and R. □ 

For convenience we have written the proof as an iterative algorithm. The proof is actually 
by induction on a slightly stronger version of the final statement, that adds the requirement 
for P to be lower than all the other points. 

5.6 The Interactive Interpretation 

Before studying the interactive interpretation of the whole proof of the Convex Angle The- 
orem along with its lemmas, we need understand their computational significance. Thus we 
stop for a moment and recall some general considerations on the computational meaning of 
formulas in the BHK interpretation and, more specifically, in the Curry-Howard correspon- 
dence. 

As a consequence of the proof- as-programs and formulas-as-types interpretation, the 
conclusion of a proof (that is, the statement it proves) can be thought of as the specification 
of the program representing the proof. 

5.6.1 Subroutines, arguments and effective computations 

In order to understand how the interactive interpretation works, it is important to distinguish 
computations that can be carried out effectively from those that cannot. Consider a proof of 
a statement of the form: 

Vjc. By. A. (5.10) 

If we read the previous formula as a specification, it calls for a program that describes a 
function, a subroutine. It takes a natural number as an argument named x and returns a 
pair containing a natural number y and a program/proof that y satisfies A. More generally, 
statements in mathematics have the following form: 

Vxi, . . . ,x n . A\ A • • • A A m — > A. 
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This can be again seen as the specification of a subroutine, taking n natural numbers and m 
programs as arguments. From this point of view, it becomes clear that such a program is 
not computing anything, at least in itself. An effective computation can only start once the 
subroutine is applied to an argument. 

All of our theorems begin with universal quantifications and implications, that is, they 
are specification for programs that code functions with arguments. Thus, in order to have an 
actual computation we have to provide the program with the required arguments. 

5.6.2 The Interactive Interpretation of the Whole Proof 

We can now explain the interactive interpretation of the whole proof, composed of the two 
lemmas and the final algorithmic proof. We focus on the interaction between these parts 
without analyzing each part in detail as we have done for the Least Element Lemma. 

We start by considering the statement of the Convex Angle Theorem. Assume that we are 
given a natural number n. In the proof we work with the first n + \ points of the enumeration. 

The proof is an iterative procedure to select P, Q and R satisfying the following bounding 
condition: 

Vl<n.l±iA(l* ./ -» \eft(Pi,Pj,Pi)) A(l±k^ right(Pj, P*. P/)). (5.11) 

The bounding condition specifies an informative computation, since left and right are defined 
by means of <r, which is an existential quantification. Thus its proofs computes some 
witnesses, namely the precision of the comparisons we need to check that the bounding 
condition holds. While are mainly interested in the choice of the points P, Q and R and 
not in the information needed to prove the bounding condition itself, the precision of the 
computation provided by (5.11) is actually used in interactive interpretation since it can 
cause backtracking. 

We claim that this bounding condition specifies an effective computation. First of all, 
the outer universal quantification is bounded, thus, in order to compute the condition, we 
have to compute the body of the quantification n + 1 times. The same holds for the conjunc- 
tions. Thus the effectiveness of the whole condition follows from the effectiveness of the 
conjuncts. The implications are effective: their only argument, the proof of the antecedent, 
is arithmetical atomic, hence irrelevant, thus the computations they specify must be con- 
stant functions. Therefore, we can effectively compute them by applying them to any single 
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argument. Finally their consequents specify effective computations, thanks to (5.8), the as- 
sumption that no three points are on the same line. Thus, proofs of the bounding condition 
describe effective computations. 

Now we can start following the proof. In the beginning, the lowest point P is selected 
using the Least Element Lemma on the vertical coordinate. Consider the statement of the 
Least Element Lemma: 

Vn. 3i < n. V/ < n. r, <r r,-. 

As a specification, it calls for a program that, given n, yields the value i and the correctness 
computation that checks that i is the least element. Since the correctness computation cannot 
be carried out effectively (it is negatively decidable), the interactive interpretation computes 
a trivial least element the first time. If later in the proof we happen to partially compute the 
correctness computation, then we may discover new information and backtrack again to the 
least element computation. Since the Least Element Lemma does not necessarily return a 
least element, but only a least element candidate, P is not the lowest point either, but just a 
lowest point candidate. 

The function of Lemma 8 is to prove that some point is strictly lower than P, thus pro- 
ducing a contradiction. In the classical proof this ensures that undesirable situations never 
happen. In the interactive interpretation however, since P is not necessarily the lowest point, 
no contradiction occurs. Instead, what happens is that we actually are in one of the cases 
we had excluded in the classical proof. At this point, in order to deduce the contradictory 
statement, we have partially computed the correctness computation returned by the Least El- 
ement Lemma and thus discovered which assumption was incorrectly guessed. We compute 
the relevant witness and extend the state accordingly. Then we compute a new lowest point 
candidate and continue again following the proof of the Convex Angle Theorem until either 
we can satisfy its conclusion or we backtrack again. 

We use Lemma 8 in two places in the proof of the Convex Angle Theorem. The first use 
takes place when, while iterating on the points, we discover that the bounding condition fails 
for some S and we choose S as the new candidate for Q or R. We use Lemma 8 to show that 
this choice satisfies the bounding condition for all the previous points we iterated over until 
now. More precisely we use Lemma 8 to prove that, if the bounding conditions fails for S , 
then one of Q, R or S is strictly lower than P. As we described previously, this in turn starts 
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the backtracking. Here is an example illustrating an interesting situation: 



Here S is to the right of PQ, so we replace Q with S . From the picture we see that S 
is actually strictly lower than P. On the other hand the bounding condition is satisfied by 
taking S as P. In this situation, do we backtrack or not? We know that we can find a 
better candidate for the lowest point, but P seems to be good enough already, so there is 
no real need for a better candidate. Both options are sound and the choice depends on the 
exact formalization of the proof and the exact sequences of rationals representing the vertical 
coordinate of the points in question. 

We also use Lemma 8 to claim that the bounding condition cannot fail because S is both 
to the right of PQ and to the left of PR: 



This case was excluded completely in the classical proof, since it always leads to contra- 
diction. When it occurs in the interactive interpretation, we backtrack for sure since the 
bounding condition cannot be satisfied. More precisely, in this case Lemma 8 proves that 
one of Q, R or S is strictly lower than P. Therefore, in order to get the contradiction, we 
instance the assumptions yp <r jq, yp <r yp and yp <r y$ with enough precision to falsify 
at least one of them. 

As a last example, consider a situation where the state is empty and thus P is simply the 
first point in the enumeration. Assume that the points are arranged as shown: 



116 Chapter 5. Interpreting a Geometric Example with Interactive Realizability 



Since the bounding condition is satisfied immediately, we never need to use Lemma 8. Thus 
backtracking never ensues. This mean that P, while certainly not the lowest point, is a good 
enough candidate and we do not need another one. This is one of the cases we mentioned 
where the interactive interpretation produces a fast computation, since the lowest point is 
only computed once and the proof ends with no backtracking. This shows how the behav- 
ior of interactive interpretation of the Least Element Lemma depends heavily on the final 
statement of the proof. 
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A.l Additional Reductions 

In this section we list the standard reductions (given in [20]) that we did not need in order 
to prove Lemma 4. The main reason is that in the proof we are only concerned with prin- 
cipal branches and some reductions only affect non-principal branches. We list them for 
completeness. 

A.l.l Permutative Reductions 

We saw how the proper reductions are performed when the conclusion of an introduction 
rule instance is the major premiss of a elimination rule instance. The situation becomes less 
straightforward when the conclusion of an introduction rule instance a is a minor premiss of 
an VE or 3E rule instance y whose conclusion is in turn the major premiss of an elimination 
rule instance /?. Also in this case the formula introduced by a is eliminated by ft, but we 
cannot apply a proper reduction since y is in the way. What we can do is to rearrange the 
derivation by moving fi above (or "inside") y, so that ft is immediately below a and we can 
apply the suitable proper reduction. Therefore we have two permutative reductions, depend- 
ing on whether y is an instance of the VE or the 3E rule. Note that repeated application of 
the permutative reductions allows us to apply a proper reduction even when there is more 
than one instance of the VE or the 3E between a and /?. Thus they can be thought of as 
auxiliary reductions that can eventually enable a suitable proper reduction. They are listed 
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in Figure A.l. 



Figure A.l: The permutative reductions. 
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A.2. Witness Reduction in Two Steps 
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A.1.2 Immediate Simplifications 

Consider a different kind of avoidable complexity in derivation: an instance a of the VE or 
the 3E rule such that the one of its minor premisses a is derived without using the assumption 
discharged by a. More precisely this means that no occurrence of the assumption discharged 
by a appears in the subderivation of a. Whenever this is the case we say that a is redundant 
since we do not need the assumptions it provides in order to prove its conclusion. There are 
two reductions, called immediate simplifications, depending on whether a is an instance of 
the VE or the 3E rule. They are listed in Figure A.2. 



Figure A.2: The immediate simplifications. 
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A.2 Witness Reduction in Two Steps 



Instead of giving the single reduction Wit-red, we can split it in two distinct reductions, one 
that looks for counterexamples and eliminates occurrences of the open assumptions of the 
EMi rule and one that eliminates instances of the EMi rule when their conclusion can be 
derived without the universal or existential assumption. 
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A.2.1 A Lighter Witness Extracting Reduction 

More precisely consider an instance a of the EMi rule for the quantifier-free formula A: 



[Vx. A] a 


[-A[x := y]] a 


III 


n 2 


EMi C 


„ C a 



Let a be an occurrence of the assumption Vx. A discharged by a in LTi In order to be able to 
perform the reduction we assume the following: 

• a is the premiss of a VE instance /?, 

• the conclusion of ft is the occurrence of a closed formula. 

Let b be the conclusion of p. b is an occurrence of the closed quantifier-free formula A [x := t] 
for some term t. Since closed quantifier-free formula are decidable, in the reduction we can 
distinguish two cases, depending on whether A[x '■= t] is true or false. 

• A[x := t] is true. 

Let IIi be a derivation of A[x := t] and replace /? with LTi : 

[Vx. A] a Hi 

VE— — * 

A[x := t] ^ A[x := t] 

• otherwise -iA[x := t] is true. 

Let II2 be a derivation of -A[x := t] and replace all the occurrences of the assumption 
-A[x := t] discharged by a in the derivation of its rightmost premiss with II2: 

[-A[x := y]] a ^ rT2 

: ~» -.A[x := t] 

We denote this reduction as Wit-red. 

Whenever this reduction can be applied it removes one or more occurrences of one of 
the assumptions discharged by a. If there are no more occurrences of such assumptions in 
either fli or fL- then a is redundant and can be deleted by EMi-simpl. 
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A.2.2 Immediate Simplification 

Redundant EMi rule instances can be defined and reduced in the same way as redundant VE 
instances. Consider an EMi rule instance a such that one of its premisses is derived without 
using the assumption discharged by a. Then we can reduce as follows: 

[Vx. A] a [-A[x ■■= y]] a 

EMi— - —a C 

depending on whether it is IT or II2 that contains no occurrence of the assumption dis- 
charged by a. We denote this reduction as EMi-simpl. 
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